Releases: mthcht/ThreatHunting-Keywords-yara-rules
Releases · mthcht/ThreatHunting-Keywords-yara-rules
October 2024 updates
October 2024 updates
- 145 tools added, plus multiple existing tools updated.
- 57774 detection patterns
In progress:
- Automated recuperation of hashes from github releases of each tool as soon as they are released
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
metadata_severity_score
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
links
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
- ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules Github repo: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists
new keyword detection patterns added for the following tools :
- 4shared.com
- ADFSDump
- ADPassHunt
- ADSyncDecrypt
- Acunetix Web Vulnerability Scanner
- Adzok
- Argus
- Avast
- BadPotato
- BetterSafetyKatz
- BrowserSnatch
- Cable
- Certify
- CheckPort
- Checkmate
- ChromeCookiesView
- Cmdkey
- DNS-Hijacking
- Dataplicity
- Decrypt-RDCMan
- DecryptRDCManager
- Dirty-Vanity
- EarthWorm
- Eventlogedit-evt--General
- Eventlogedit-evtx--Evolution
- ForgeCert
- FruityC2
- GMSAPasswordReader
- GlobalUnProtect
- GodPotato
- Imminent-Monitor
- Inveigh
- Invoke-RDPThief
- JuicyPotato
- KeeTheft
- KrbRelay
- KrbRelay-SMBServer
- KrbRelayUp
- LAPSToolkit
- LsassReflectDumping
- MSSprinkler
- MozillaCookiesView
- NamelessC2
- NetSess
- NetworkServiceExploit
- NoPowerShell
- PSAttack
- PWDumpX
- PassTheCert
- PortQry
- Poshito
- PowerShellRunner
- PowerUpSQL
- PowerView
- Prince-Ransomware
- PrintSpoofer
- PrivExchange
- Procdump
- PwDump7
- PwDump8
- RottenPotatoNG
- Rubeus
- RunasCs
- Rust Localtunnels
- RustiveDump
- SCMUACBypass
- SMBTrap
- Seatbelt
- ShadowSpray
- SharpChrome
- SharpDPAPI
- SharpEfsPotato
- SharpGPOAbuse
- SharpGpo
- SharpHound
- SharpKatz
- SharpLAPS
- SharpMove
- SharpOxidResolver
- SharpPack
- SharpRDP
- SharpSCCM
- SharpSQL
- SharpUp
- SharpView
- Sharpmad
- SigmaPotato
- SimpleBackdoorAdmin
- Smbtouch-Scanner
- Termite
- Trellonet
- WCE
- Whisker
- adfsbrute
- arp
- atnow
- attrib
- btunnel
- burrow
- certoc
- cobaltstrike
- creddump7
- csexec
- dir
- dropbear
- easyupload.io
- echo
- emkei.cz
- fgdump
- find
- findstr
- hak5 cloudc2
- htran
- libprocesshider
- ln
- localtunnels
- localxpose
- lslsass
- ms-appinstaller
- net
- powershell
- precompiled-binaries
- pretender
- pslist
- psobf
- putty
- pwnlook
- quarkspwdump
- rdp
- reg
- resocks
- sc
- shootback
- smbscan
- sshdoor
- stunnel
- tmate
- tun2socks
- unset
- w32times
- wevtutil
- winPEAS
- winexe
- wso-webshell
- xspy
v1.0.5.1
August 2024 updates
- 137 new tools added, plus multiple existing tools updated.
- 53907 detection patterns
- Updated the README with MITRE coverage (completed) and tools detection matrix (coming soon).
- Significant updates to MITRE techniques and tactics.
- More Threat actor group names associated with all relevant tools using the ransomware tool matrix and MITRE groups page
- The new
metadata_tagscolumn has been expanded with multiple tags. As the lookup grows rapidly (including hash values for tools), additional artifact identification is becoming essential. In this version, new tags for #filehash and #GUIDproject are fully populated . Other tags, such as #Avsignature, #email, #namedpipe, #base64, #registry, #productname, #companyname, and #servicename, are still in progress but are steadily being updated. - small correction of a subfolder name in the
toolsfolder - 2024/09/09 - correction duplicated rules + parenthese errors
In progress:
- Automated recuperation of hashes from github releases of each tool as soon as they are released
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
metadata_severity_score
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
- tool matrix enhancements
- new tags in the
metadata_tagscolumn
links
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
- ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules Github repo (this repo): https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists
new keyword detection patterns added for the following tools :
- 1ty.me
- Arduino Pro Micro
- AsyncRAT-C-Sharp
- Atera
- BITSInject
- BadRentdrv2
- BloodHound
- Burntcigar KillAV
- C3
- Cactus WHID
- ChaiLdr
- ComodoRMM (Itarian RMM)
- Digispark Attiny85
- DirtyCLR
- EHORUS RMM
- ExtPassword.exe
- Fynloski Backdoor
- Gato-X
- GoAWSConsoleSpray
- Hak5 BashBunny
- Hak5 Lan turtle
- Hak5 O.MG Cable
- Hak5 Rubber Ducky
- Hak5 Screen Crab
- Hak5 Wifi Pineapple
- Invoke-Maldaptive
- Invoke-SocksProxy
- KeeFarce
- Lansweeper
- LostMyPassword
- MEGAcmd
- Maestro
- MailPassView
- NamedPipeMaster
- Nordic NRF52840
- OperaPassView
- PCHunter
- POC
- PS2EXE
- PowerLess
- PrintSpoofer
- PrivFu
- RDP Recognizer
- ROADtoken
- RouterPassView
- RouterScan
- Rust-Malware-Samples
- SCCMSecrets
- Sandman
- SecretServerSecretStealer
- ShareAudit
- SharpDump
- ShellGen
- ShimMe
- Shwmae
- SirepRAT
- SniffPass
- SpoolFool
- TDSKiller
- Taskmgr
- Telemetry
- TimeException
- TinyMet
- TokenFinder
- TrickDump
- TrueSocks
- Universal Virus Sniffer
- VNCPassView
- WSMan-WinRM
- WindowsDowndate
- ZeroHVCI
- _
- adfind
- aircrack
- arp
- asleap
- attrib
- autoNTDS
- bcdedit
- bcedit
- canisrufus
- chashell
- defender-control
- del
- dnskire
- dnspot
- dropmefiles.com
- dsregcmd
- echo
- eraser
- fex.net
- fleetdeck
- fleetdm
- gsecdump
- hackshell
- hookchain
- http.server
- jecretz
- keywa7
- knowsmore
- metasploit
- mimikatz
- net
- netsh
- nps
- nsocks
- oset
- pingcastle
- powershell
- premiumize.me
- privnote.com
- processhacker
- put.io
- qaz.im
- qaz.is
- qaz.su
- quiet-riot
- reg
- rmdir
- rs-shell
- rsocks
- sc
- schtasks
- secretsdump
- share.riseup.net
- sharphound
- shellsilo
- socat
- ssh
- sshamble
- systeminfo
- taskkill
- tasklist
- tor
- ufile.io
- wevtutil
- wmic
August 2024 updates
August 2024 updates
- 137 new tools added, plus multiple existing tools updated.
- 53907 detection patterns
- Updated the README with MITRE coverage (completed) and tools detection matrix (coming soon).
- Significant updates to MITRE techniques and tactics.
- More Threat actor group names associated with all relevant tools using the ransomware tool matrix and MITRE groups page
- The new
metadata_tagscolumn has been expanded with multiple tags. As the lookup grows rapidly (including hash values for tools), additional artifact identification is becoming essential. In this version, new tags for #filehash and #GUIDproject are fully populated . Other tags, such as #Avsignature, #email, #namedpipe, #base64, #registry, #productname, #companyname, and #servicename, are still in progress but are steadily being updated. - small correction of a subfolder name in the
toolsfolder - 2024/09/09 - correction duplicated rules + parenthese errors
In progress:
- Automated recuperation of hashes from github releases of each tool as soon as they are released
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
metadata_severity_score
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
- tool matrix enhancements
- new tags in the
metadata_tagscolumn
links
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
- ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules Github repo (this repo): https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists
new keyword detection patterns added for the following tools :
- 1ty.me
- Arduino Pro Micro
- AsyncRAT-C-Sharp
- Atera
- BITSInject
- BadRentdrv2
- BloodHound
- Burntcigar KillAV
- C3
- Cactus WHID
- ChaiLdr
- ComodoRMM (Itarian RMM)
- Digispark Attiny85
- DirtyCLR
- EHORUS RMM
- ExtPassword.exe
- Fynloski Backdoor
- Gato-X
- GoAWSConsoleSpray
- Hak5 BashBunny
- Hak5 Lan turtle
- Hak5 O.MG Cable
- Hak5 Rubber Ducky
- Hak5 Screen Crab
- Hak5 Wifi Pineapple
- Invoke-Maldaptive
- Invoke-SocksProxy
- KeeFarce
- Lansweeper
- LostMyPassword
- MEGAcmd
- Maestro
- MailPassView
- NamedPipeMaster
- Nordic NRF52840
- OperaPassView
- PCHunter
- POC
- PS2EXE
- PowerLess
- PrintSpoofer
- PrivFu
- RDP Recognizer
- ROADtoken
- RouterPassView
- RouterScan
- Rust-Malware-Samples
- SCCMSecrets
- Sandman
- SecretServerSecretStealer
- ShareAudit
- SharpDump
- ShellGen
- ShimMe
- Shwmae
- SirepRAT
- SniffPass
- SpoolFool
- TDSKiller
- Taskmgr
- Telemetry
- TimeException
- TinyMet
- TokenFinder
- TrickDump
- TrueSocks
- Universal Virus Sniffer
- VNCPassView
- WSMan-WinRM
- WindowsDowndate
- ZeroHVCI
- _
- adfind
- aircrack
- arp
- asleap
- attrib
- autoNTDS
- bcdedit
- bcedit
- canisrufus
- chashell
- defender-control
- del
- dnskire
- dnspot
- dropmefiles.com
- dsregcmd
- echo
- eraser
- fex.net
- fleetdeck
- fleetdm
- gsecdump
- hackshell
- hookchain
- http.server
- jecretz
- keywa7
- knowsmore
- metasploit
- mimikatz
- net
- netsh
- nps
- nsocks
- oset
- pingcastle
- powershell
- premiumize.me
- privnote.com
- processhacker
- put.io
- qaz.im
- qaz.is
- qaz.su
- quiet-riot
- reg
- rmdir
- rs-shell
- rsocks
- sc
- schtasks
- secretsdump
- share.riseup.net
- sharphound
- shellsilo
- socat
- ssh
- sshamble
- systeminfo
- taskkill
- tasklist
- tor
- ufile.io
- wevtutil
- wmic
ThreatHunting-Keywords-yara-rules
July 2024 updates
- 74 tools added + multiple tools updated
- 45917 detection patterns
- for the main project - updated README + a new column named
metadata_tagswas added to include multiple tags for identifying specific artifacts, such as #filehash, #namedpipe, #registry, #GUIDproject, etc. This will help avoid creating new columns or mixing them into the comment column (work in progress).
links
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
- ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules Github repo: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists
keyword detection patterns added for the following tools :
- ADAPE-Script
- Aoyama
- Arbitrium-RAT
- Ask4Creds
- BackHAck
- BarracudaRMM
- BlackShades
- Cam-Hackers
- CheckSMBSigning
- ComodoRMM
- CursedChrome
- DeadPotato
- EDRPrison
- Gecko
- Godzilla
- IHxExec
- Invoke-GrabTheHash
- Invoke-PowerIncrease
- Invoke-RunAsSystem
- Invoke-s4u2self
- Kematian Stealer
- KeyCredentialLink
- Lime-RAT
- Moriarty
- Necro-Stealer
- Openssh
- PEASS-ng
- POC
- PassSpray
- Powerlurk
- PredatorTheStealer
- ProtectMyTooling
- Psnmap
- SessionExec
- SharpIncrease
- SharpVeeamDecryptor
- SoftEtherVPN
- SomalifuscatorV2
- SystemBC
- TGT_Monitor
- Token-Impersonation
- WSAAcceptBackdoor
- WinSCP
- blackvision
- certutil
- dir
- dirdevil
- esxcli
- filetransfer.io
- gmer
- hackforums.net
- icacls
- impacket
- mshta
- net
- openssh-portable
- panix
- paste.ee
- plink
- powershell
- printspoofer
- ransomware_notes
- reg
- saycheese
- sc
- schtasks
- sgn
- shutter
- specula
- ssh
- taskkill
- vncviewer
- win-brute-logon
- wmic
v1.0.3
June 2024 updates
- 97 tools added + multiple tools updated
- 43126 detection patterns
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- ThreatHunting-Keywords project: https://github.com/mthcht/ThreatHunting-Keywords
- Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists
Added:
- Alpemix
- AmperageKit
- AnyplaceControl
- anyviewer
- atexec-pro
- AutoHotkey
- auvik
- AV_Evasion_Tool
- AVKiller
- aweray
- Azure Storage Explorer
- chntpw
- clickjack
- comsvcs.dll
- conpass
- crowdstrike falcon
- csvde
- Ddexec
- DEDSEC-RANSOMWARE
- Disable-TamperProtection
- discord
- discord-c2
- Discord-RAT-2.0
- DriverDump
- fetch-some-proxies
- File-Tunnel
- Get-WmiObject
- GlllPowerloader
- gofile.io
- hidden-tear
- Ikeext-Privesc
- impacketremoteshell
- Invoke-ADEnum
- Invoke-DumpMDEConfig
- killProcessPOC
- level.io
- localtonet
- Lockless
- MakeMeAdmin
- MDE_Enum
- MetasploitCoop
- Microsoft Recall
- mimipy
- mythic
- net
- NetRipper
- nipe
- NoodleRAT
- NordVPN
- OshiUpload
- pcunlocker
- PewPewPew
- pico
- POC
- PowerBreach
- Powerpick
- powershell
- PWA-Phishing
- pyobfuscate
- PySQLRecon
- ransomware_notes
- RdpStrike
- rdrleakdiag
- RealBlindingEDR
- reconftw
- reg
- regsvr32
- RemoteKrbRelay
- responder
- rotateproxy
- SafetyDump
- sc
- SchTask_0x727
- ScriptBlock-Smuggling
- sdelete
- set
- ShadowStealer
- SharpAppLocker
- SharpCOM
- SharpDecryptPwd
- SharpEdge
- SharpLogger
- SharpSC
- SharpSSDP
- SharpThief
- spinningteacup
- suo5
- TotalRecall
- tsh
- tsh-go
- Tsunami
- usaupload
- VenomousSway
- VNCViewer
- Voidgate
- wmic
- XiebroC2
Details of added + updated tools Full Changelog: v1.0.2...v1.0.3
ThreatHunting-Keywords
May 2024 updates
- 72 tools added
- 39865 detection patterns
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- ThreatHunting-Keywords project: https://github.com/mthcht/ThreatHunting-Keywords
- Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists
Added:
- 1secmail.com
- AD-common-queries
- ADFSDump-PS
- AMSITrigger
- Adcheck
- AmsiBypass
- AutoIt
- BadWindowsService
- Blank-Grabber
- BlankOBF
- CLR-Injection
- DoubleDrive
- EASSniper
- GTFONow
- HTTP-Shell
- IPPrintC2
- Invoke-DNSteal
- Invoke-Stealth
- LTProxy
- Luna-Grabber
- Malware RAT collection
- Neo-reGeorg
- OSEP-Code-Snippets
- Omnispray
- PPLSystem
- PSAsyncShell
- Powershell-Scripts-for-Hackers-and-Pentesters
- Proxifier
- QuickAssist
- RITM
- RPC-Backdoor
- RedTeam_Tools_n_Stuff
- Rust-for-Malware-Development
- S-inject
- SharpBruteForceSSH
- SharpElevator
- SharpPersistSD
- SharpRODC
- ShellServe
- ShellSync
- ThievingFox
- TokenTacticsV2
- TunnelVision
- arsenal
- beeceptor.com
- btunnel.in
- dropbox
- guerrillamail
- homeway.io
- killer
- ldap queries
- localhost.run
- lolminer
- maildrop
- mega.co.nz
- myftp.biz
- myftp.org
- nbtscan
- netcat
- no_defender
- pamspy
- pinggy
- powershell
- powerview
- pwcrack-framework
- python
- r77-rootkit
- remoteit
- serveo.net
- spraycharles
- staqlab-tunnel
- temp-mail
Details of added + updated tools Full Changelog: v1.0.1...v1.0.2
ThreatHunting-Keywords
April 2024 updates
- 152 tools updated
- 35380 detection patterns
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists
Added/Updated rules:
-
all.yara
-
greyware_tools.yara
-
offensive_tools.yara
-
Ammyy Admin.yara
-
adexplorer.yara
-
boringproxy.yara
-
crowbar.yara
-
curl.yara
-
FileZilla.yara
-
duckdns.org.yara
-
expose.yara
-
go-http-tunnel.yara
-
gost.yara
-
gsocket.yara
-
gt.yara
-
hypertunnel.yara
-
jprq.yara
-
lsa-whisperer.yara
-
netsh.yara
-
ngrok.yara
-
Portr.yara
-
PyPagekite.yara
-
pgrok.yara
-
powershell.yara
-
python.yara
-
SetACL.yara
-
SirTunnel.yara
-
rathole.yara
-
reg.yara
-
remotemoe.yara
-
restic.yara
-
reverse-tunnel.yara
-
setspn.yara
-
shadowsocks.yara
-
sish.yara
-
softperfect networkscanner.yara
-
tunnel.yara
-
tunneller.yara
-
tunnelmole-client.yara
-
tunnelto.dev.yara
-
tunwg.yara
-
wget.yara
-
wiretap.yara
-
zrok.yara
-
ASPJinjaObfuscator.yara
-
BrowsingHistoryView.yara
-
CelestialSpark.yara
-
bpf-keylogger.yara
-
curlshell.yara
-
DLHell.yara
-
FilelessPELoader.yara
-
fuegoshell.yara
-
KExecDD.yara
-
impacket.yara
-
kali.yara
-
LDAP-Password-Hunter.yara
-
LetMeowIn.yara
-
NetNTLMtoSilverTicket.yara
-
lsassy.yara
-
metasploit.yara
-
nanodump.yara
-
Ouned.yara
-
PILOT.yara
-
Python-Rootkit.yara
-
prefetch-tool.yara
-
pyrdp.yara
-
Shell3er.yara
-
var0xshell.yara
-
veeam-creds.yara
-
wmiexec-pro.yara
-
wraith.yara
-
Amnesiac.yara
-
Antivirus Signature.yara
-
BeRoot.yara
-
Invoke-TheHash.yara
-
KPortScan.yara
-
kiglogger.yara
-
Lime-Crypter.yara
-
merlin.yara
-
PEASS.yara
-
SharpEDRChecker.yara
-
Venom.yara
-
cat.yara
-
icalcs.yara
-
RemotePC.yara
-
rdpwrap.yara
-
regsvr32.yara
-
ren.yara
-
takeown.yara
-
AMSI-Provider.yara
-
EvilClippy.yara
-
dll-hijack-by-proxying.yara
-
GraphSpy.yara
-
LocalShellExtParse.yara
-
MacroMeter.yara
-
NTMLRecon.yara
-
NetshHelperBeacon.yara
-
lnk2pwn.yara
-
logon_backdoor.yara
-
masscan.yara
-
mimidogz.yara
-
nishang.yara
-
Offensive-Netsh-Helper.yara
-
OffensiveCpp.yara
-
Office-Persistence.yara
-
Persistence-Accessibility-Features.yara
-
persistence_demos.yara
-
RID-Hijacking.yara
-
SharpDllProxy.yara
-
SharpGPOAbuse.yara
-
ShimDB.yara
-
Snaffler.yara
-
rattler.yara
-
spoofing-office-macro.yara
-
tricky.lnk.yara
-
Waitfor-Persistence.yara
-
WinPirate.yara
-
Windows-Crack.yara
-
vbad.yara
-
viperc2.yara
-
xz.yara
-
Ahk2Exe.yara
-
adfind.yara
-
adrecon.yara
-
Goodsync.yara
-
IObitUnlocker.yara
-
meshcentral.yara
-
psexec.yara
-
RemCom.yara
-
sc.yara
-
slack.yara
-
whoami.yara
-
wireproxy.yara
-
AzureADLateralMovement.yara
-
ccmpwn.yara
-
copy.yara
-
crackmapexec.yara
-
Defeat-Defender.yara
-
DragonCastle.yara
-
goWMIExec.yara
-
Jasmin-Ransomware.yara
-
Koppeling.yara
-
NTHASH-FPC.yara
-
mssqlproxy.yara
-
PickleC2.yara
-
poshc2.yara
-
pwdump.yara
-
ScheduleRunner.yara
-
SharpNoPSExec.yara
-
SharpSCCM.yara
-
SharpWSUS.yara
-
Slackor.yara
-
Tchopper.yara
-
scshell.yara
-
WMEye.yara
Details:
Lists:
- 15,134 changes: 13,959 additions & 1,175 deletions in yara_rules/all.yara
- 7,017 changes: 5,220 additions & 1,797 deletions in yara_rules/offensive_tools.yara
- 7,598 changes: 7,339 additions & 259 deletions in yara_rules/greyware_tools.yara
Tools:
- 1,131 changes: 567 additions & 564 deletions 1,131 yara_rules/offensive_tool_keyword/L-N/metasploit.yara
- 10 changes: 5 additions & 5 deletions 10 yara_rules/offensive_tool_keyword/R-T/SharpWSUS.yara
- 10 changes: 5 additions & 5 deletions 10 yara_rules/offensive_tool_keyword/U-W/WMEye.yara
- 101 changes: 52 additions & 49 deletions 101 yara_rules/offensive_tool_keyword/L-N/lsassy.yara
- 105 changes: 54 additions & 51 deletions 105 yara_rules/offensive_tool_keyword/L-N/nanodump.yara
- 11 changes: 4 additions & 7 deletions 11 yara_rules/greyware_tool_keyword/A-C/Ammyy Admin.yara
- 110 changes: 110 additions & 0 deletions 110 yara_rules/greyware_tool_keyword/R-T/tunnelmole-client.yara
- 112 changes: 71 additions & 41 deletions 112 yara_rules/offensive_tool_keyword/I-K/Jasmin-Ransomware.yara
- 114 changes: 57 additions & 57 deletions 114 yara_rules/offensive_tool_keyword/L-N/nishang.yara
- 116 changes: 116 additions & 0 deletions 116 yara_rules/greyware_tool_keyword/A-C/crowbar.yara
- 119 changes: 119 additions & 0 deletions 119 yara_rules/greyware_tool_keyword/A-C/boringproxy.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/O-Q/psexec.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/R-T/reg.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/U-W/whoami.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/offensive_tool_keyword/L-N/mssqlproxy.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/offensive_tool_keyword/R-T/Snaffler.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/signature_keyword/A-C/Antivirus Signature.yara
- 12 changes: 9 additions & 3 deletions 12 yara_rules/greyware_tool_keyword/L-N/netsh.yara
- 122 changes: 122 additions & 0 deletions 122 yara_rules/offensive_tool_keyword/O-Q/Ouned.yara
- 125 changes: 125 additions & 0 deletions 125 yara_rules/greyware_tool_keyword/R-T/rdpwrap.yara
- 125 changes: 125 additions & 0 deletions 125 yara_rules/offensive_tool_keyword/O-Q/Python-Rootkit.yara
- 13 changes: 8 additions & 5 deletions 13 yara_rules/offensive_tool_keyword/I-K/kali.yara
- 137 changes: 137 additions & 0 deletions 137 yara_rules/greyware_tool_keyword/A-C/Ahk2Exe.yara
- 140 changes: 140 additions & 0 deletions 140 yara_rules/greyware_tool_keyword/R-T/tunwg.yara
- 146 changes: 146 additions & 0 deletions 146 yara_rules/offensive_tool_keyword/D-F/Defeat-Defender.yara
- 149 changes: 149 additions & 0 deletions 149 yara_rules/greyware_tool_keyword/E-H/go-http-tunnel.yara
- 15 changes: 9 additions & 6 deletions 15 yara_rules/offensive_tool_keyword/U-W/veeam-creds.yara
- 152 changes: 152 additions & 0 deletions 152 yara_rules/greyware_tool_keyword/O-Q/PyPagekite.yara
- 16 changes: 8 additions & 8 deletions 16 yara_rules/offensive_tool_keyword/A-C/adfind.yara
- 162 changes: 81 additions & 81 deletions 162 yara_rules/offensive_tool_keyword/A-C/Amnesiac.yara
- 164 changes: 164 additions & 0 deletions 164 yara_rules/offensive_tool_keyword/U-W/WinPirate.yara
- 167 changes: 167 additions & 0 deletions 167 yara_rules/greyware_tool_keyword/R-T/reverse-tunnel.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/greyware_tool_keyword/R-T/regsvr32.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/greyware_tool_keyword/R-T/slack.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/offensive_tool_keyword/U-W/Windows-Crack.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/Ammyy Admin.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/Amnesiac.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/BeRoot.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/Invoke-TheHash.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/Jasmin-Ransomware.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/KPortScan.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/kiglogger.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/L-N/Lime-Crypter.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/L-N/merlin.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/O-Q/PEASS.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/O-Q/Python-Rootkit.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/R-T/SharpEDRChecker.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/U-W/Venom.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/U-W/wraith.yara
- 172 changes: 86 additions & 86 deletions 172 yara_rules/offensive_tool_keyword/L-N/NTHASH-FPC.yara
- 178 changes: 89 additions & 89 deletions 178 yara_rules/greyware_tool_keyword/R-T/RemotePC.yara
- 179 changes: 179 additions & 0 deletions 179 yara_rules/greyware_tool_keyword/I-K/jprq.yara
- 179 changes: 179 additions & 0 deletions 179 yara_rules/greyware_tool_keyword/R-T/tunneller.yara
- 18 changes: 9 additions & 9 deletions 18 yara_rules/greyware_tool_keyword/A-C/adfind.yara
- 18 changes: 9 additions & 9 deletions 18 yara_rules/offensive_tool_keyword/R-T/SharpNoPSExec.yara
- 19 changes: 11 additions & 8 deletions 19 yara_rules/greyware_tool_keyword/R-T/sc.yara
- 198 changes: 99 additions & 99 deletions 198 yara_rules/offensive_tool_keyword/A-C/crackmapexec.yara
- 2 changes: 1 addition & 1 deletion 2 yara_rules/greyware_tool_keyword/O-Q/powershell.yara
- 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/A-C/AzureADLateralMovement.yara
- 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/A-C/copy.yara
- 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/R-T/scshell.yara
- 20 changes: 10 additions & 10 deletions 20 yara_rules/offensive_tool_keyword/R-T/ScheduleRunner.yara
- 20 changes: 20 additions & 0 deletions 20 yara_rules/greyware_tool_keyword/R-T/setspn.yara
- 20 changes: 20 additions & 0 deletions 20 yara_rules/greyware_tool_keyword/U-W/wget.yara
- 21 changes: 12 additions & 9 deletions 21 yara_rules/greyware_tool_keyword/L-N/netsh.yara
- 21 changes: 21 additions & 0 deletions 21 yara_rules/gre...
ThreatHunting-Keywords
February and March 2024 updates
- 144 tools updated
- 30513 detection patterns
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists
more details on each tool added in the next releases...
First release contributors details of https://github.com/mthcht/ThreatHunting-Keywords
Contributors
- @wikijm made their first contribution in mthcht/ThreatHunting-Keywords#4
- @Ekitji made their first contribution in mthcht/ThreatHunting-Keywords#9
Contributors updates since the publication
- Update README.md by @wikijm in mthcht/ThreatHunting-Keywords#4
- Update th_keywords_processnames_elk.txt by @Ekitji in mthcht/ThreatHunting-Keywords#9
- striped version of suspicious_http_user_agents_list.csv with only focus on non bots by @Ekitji in mthcht/ThreatHunting-Keywords#10
- Update README.md by @Ekitji in mthcht/ThreatHunting-Keywords#11
- Update user_agent_elk.txt by @Ekitji in mthcht/ThreatHunting-Keywords#12
- Update suspicious_named_pipe_elk.txt by @Ekitji in mthcht/ThreatHunting-Keywords#13
- fixed some issues with numbs and so on by @Ekitji in mthcht/ThreatHunting-Keywords#14
- minor adjustments by @Ekitji in mthcht/ThreatHunting-Keywords#15
- Update th_keywords_processnames_elk.txt by @Ekitji in mthcht/ThreatHunting-Keywords#16
- Update user_agent_elk.txt by @Ekitji in mthcht/ThreatHunting-Keywords#17
- some additions and updates by @Ekitji in mthcht/ThreatHunting-Keywords#18
- Adding AnyDesk.exe previous version (file named 'previous-version') by @wikijm in mthcht/ThreatHunting-Keywords#21
Contributors
wikijm and Ekitji