Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
mthcht committed Jan 7, 2025
1 parent cd6c24e commit eb2a7c7
Show file tree
Hide file tree
Showing 67 changed files with 3,161 additions and 1,050 deletions.
338 changes: 240 additions & 98 deletions greyware_tool_keyword.csv

Large diffs are not rendered by default.

655 changes: 434 additions & 221 deletions offensive_tool_keyword.csv

Large diffs are not rendered by default.

354 changes: 348 additions & 6 deletions only_keywords.txt

Large diffs are not rendered by default.

354 changes: 348 additions & 6 deletions only_keywords_regex.txt

Large diffs are not rendered by default.

501 changes: 421 additions & 80 deletions only_keywords_regex_better_perf.txt

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions signature_keyword.csv
Original file line number Diff line number Diff line change
Expand Up @@ -383,6 +383,7 @@
"*Win32:Gsecdump*",".{0,1000}Win32\:Gsecdump.{0,1000}","signature_keyword","gsecdump","credential dumper used to obtain password hashes and LSA secrets from Windows operating systems","T1003.001 - T1003.002 - T1555.003 - T1555.001","TA0006 - TA0008","N/A","APT1 - PittyTiger - Tonto Team - BRONZE BUTLER - Threat Group-3390 - APT22 - APT24 - APT27 - Night Dragon - Tick","Credential Access","https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe","1","0","#Avsignature","N/A","10","10","N/A","N/A","N/A","N/A"
"*Win32:Trojan*",".{0,1000}Win32\:Trojan.{0,1000}","signature_keyword","Antivirus Signature","Antiviurs signature_keyword","N/A","N/A","N/A","N/A","Malware","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A"
"*Win64.Mimikatz*",".{0,1000}Win64\.Mimikatz.{0,1000}","signature_keyword","mimikatz","Mimikatz AV signatures","T1134.005 - T1098 - T1547.005 - T1555 - T1555.003 - T1555.004 - T1003.001 - T1003.002 - T1003.004 - T1003.006 - T1207 - T1649 - T1558.001 - T1558.002 - T1552.004 - T1550.002 - T1550.003","TA0004 - TA0006 - TA0003 - TA0008 - TA0009","N/A","APT1 - APT24 - APT28 - APT29 - APT32 - APT33 - APT38 - APT39 - APT41 - APT5 - Akira - Avivore - BERSERK BEAR - BOSS SPIDER - BRONZE BUTLER - BackdoorDiplomacy - Blue Mockingbird - CHRYSENE - COZY BEAR - Carbanak - Chamelgang - Chimera - Cleaver - Cobalt Group - DarkHydrus - Dragonfly - Earth Lusca - FANCY BEAR - FIN13 - FIN6 - FIN7 - GALLIUM - Gamaredon - HEXANE - Indrik Spider - Ke3chang - Kimsuky - LAPSUS$ - Leafminer - Magic Hound - MuddyWater - OilRig - PittyTiger - Sandworm Team - Scattered Spider - TA505 - TEMP.Veles - Threat Group-3390 - Thrip - Tonto Team - Turla - Unit 29155 - Volt Typhoon - Whitefly - Wizard Spider - menuPass - Dispossessor","Exploitation tool","https://github.com/gentilkiwi/mimikatz","1","0","#Avsignature","N/A","10","10","19543","3756","2024-07-05T17:42:58Z","2014-04-06T18:30:02Z"
"*Win64.ShadowDumper*",".{0,1000}Win64\.ShadowDumper.{0,1000}","signature_keyword","ShadowDumper","dump LSASS memory","T1003.001 - T1055","TA0006 ","N/A","N/A","Credential Access","https://github.com/Offensive-Panda/ShadowDumper","1","0","#Avsignature","N/A","10","1","N/A","N/A","N/A","N/A"
"*Win64/IceId*",".{0,1000}Win64\/IceId.{0,1000}","signature_keyword","Antivirus Signature","antivirus signatures","N/A","N/A","N/A","N/A","Malware","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*Win64/Mikatz*",".{0,1000}Win64\/Mikatz.{0,1000}","signature_keyword","Antivirus Signature","AV signature for exploitation tools","N/A","N/A","N/A","N/A","Exploitation tool","N/A","1","0","N/A","mimikatz signatures","10","10","N/A","N/A","N/A","N/A"
"*Win64/MozillaCookiesView*",".{0,1000}Win64\/MozillaCookiesView.{0,1000}","signature_keyword","MozillaCookiesView","nirsoft utility that displays the details of all cookies stored inside the cookies file (cookies.txt or cookies.sqlite) - abused by threat actors","T1070 - T1552.001 - T1125 - T1005","TA0009 - TA0005","N/A","MuddyWater","Credential Access","https://www.nirsoft.net/utils/mzcv.html","1","0","#Avsignature","N/A","7","10","N/A","N/A","N/A","N/A"
Expand Down
996 changes: 676 additions & 320 deletions threathunting-keywords.csv

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion tools/A-C/AdvancedRun.csv
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
"keyword","metadata_keyword_regex","metadata_keyword_type","metadata_tool","metadata_description","metadata_tool_techniques","metadata_tool_tactics","metadata_malwares_name","metadata_groups_name","metadata_category","metadata_link","metadata_enable_endpoint_detection","metadata_enable_proxy_detection","metadata_tags","metadata_comment","metadata_severity_score","metadata_popularity_score","metadata_github_stars","metadata_github_forks","metadata_github_updated_at","metadata_github_created_at"
"*AdvancedRun.exe /EXEFilename *\sc.exe*stop WinDefend*",".{0,1000}AdvancedRun\.exe\s\/EXEFilename\s.{0,1000}\\sc\.exe.{0,1000}stop\sWinDefend.{0,1000}","greyware_tool_keyword","AdvancedRun","nirsoft tool - Run a program with different settings that you choose","T1562 - T1089","TA0005","N/A","N/A","Defense Evasion","https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A"
"*AdvancedRun.exe *",".{0,1000}AdvancedRun\.exe\s\/EXEFilename\s.{0,1000}\\sc\.exe.{0,1000}stop\sWinDefend.{0,1000}","greyware_tool_keyword","AdvancedRun","nirsoft tool - Run a program with different settings that you choose","T1562 - T1089","TA0005","N/A","N/A","Defense Evasion","https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A"
24 changes: 12 additions & 12 deletions tools/A-C/Azure Storage Explorer.csv
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
"keyword","metadata_keyword_regex","metadata_keyword_type","metadata_tool","metadata_description","metadata_tool_techniques","metadata_tool_tactics","metadata_malwares_name","metadata_groups_name","metadata_category","metadata_link","metadata_enable_endpoint_detection","metadata_enable_proxy_detection","metadata_tags","metadata_comment","metadata_severity_score","metadata_popularity_score","metadata_github_stars","metadata_github_forks","metadata_github_updated_at","metadata_github_created_at"
"*/Microsoft Azure Storage Explorer.app*",".{0,1000}\/Microsoft\sAzure\sStorage\sExplorer\.app.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*/Microsoft Azure Storage Explorer.zip*",".{0,1000}\/Microsoft\sAzure\sStorage\sExplorer\.zip.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*\Microsoft Azure Storage Explorer.zip*",".{0,1000}\\Microsoft\sAzure\sStorage\sExplorer\.zip.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*>Microsoft Azure Storage Explorer Setup<*",".{0,1000}\>Microsoft\sAzure\sStorage\sExplorer\sSetup\<.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*>Microsoft Azure Storage Explorer<*",".{0,1000}\>Microsoft\sAzure\sStorage\sExplorer\<.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*036a9029e3b883ded8de9d9bdde3f63dd86d3403b7ed767b1efc3037c9d37bc4*",".{0,1000}036a9029e3b883ded8de9d9bdde3f63dd86d3403b7ed767b1efc3037c9d37bc4.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A"
"*7fa49a08d05a3616b5a24f52645d76c4496c37f5060a6bd4a648f534c4e85ae0*",".{0,1000}7fa49a08d05a3616b5a24f52645d76c4496c37f5060a6bd4a648f534c4e85ae0.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A"
"*c798b2aedc7a74f0daf51eb216aae8cb48b45f208b0409916442b1d61d2ad2ef*",".{0,1000}c798b2aedc7a74f0daf51eb216aae8cb48b45f208b0409916442b1d61d2ad2ef.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A"
"*com.microsoft.StorageExplorer*",".{0,1000}com\.microsoft\.StorageExplorer.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*Microsoft Azure Storage Explorer.app/Contents/*",".{0,1000}Microsoft\sAzure\sStorage\sExplorer\.app\/Contents\/.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*StorageExplorer-linux-x64.tar.gz*",".{0,1000}StorageExplorer\-linux\-x64\.tar\.gz.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*StorageExplorer-windows-x64.exe*",".{0,1000}StorageExplorer\-windows\-x64\.exe.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*/Microsoft Azure Storage Explorer.app*",".{0,1000}\/Microsoft\sAzure\sStorage\sExplorer\.app.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*/Microsoft Azure Storage Explorer.zip*",".{0,1000}\/Microsoft\sAzure\sStorage\sExplorer\.zip.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*\Microsoft Azure Storage Explorer.zip*",".{0,1000}\\Microsoft\sAzure\sStorage\sExplorer\.zip.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*>Microsoft Azure Storage Explorer Setup<*",".{0,1000}\>Microsoft\sAzure\sStorage\sExplorer\sSetup\<.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*>Microsoft Azure Storage Explorer<*",".{0,1000}\>Microsoft\sAzure\sStorage\sExplorer\<.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*036a9029e3b883ded8de9d9bdde3f63dd86d3403b7ed767b1efc3037c9d37bc4*",".{0,1000}036a9029e3b883ded8de9d9bdde3f63dd86d3403b7ed767b1efc3037c9d37bc4.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A"
"*7fa49a08d05a3616b5a24f52645d76c4496c37f5060a6bd4a648f534c4e85ae0*",".{0,1000}7fa49a08d05a3616b5a24f52645d76c4496c37f5060a6bd4a648f534c4e85ae0.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A"
"*c798b2aedc7a74f0daf51eb216aae8cb48b45f208b0409916442b1d61d2ad2ef*",".{0,1000}c798b2aedc7a74f0daf51eb216aae8cb48b45f208b0409916442b1d61d2ad2ef.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A"
"*com.microsoft.StorageExplorer*",".{0,1000}com\.microsoft\.StorageExplorer.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*Microsoft Azure Storage Explorer.app/Contents/*",".{0,1000}Microsoft\sAzure\sStorage\sExplorer\.app\/Contents\/.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*StorageExplorer-linux-x64.tar.gz*",".{0,1000}StorageExplorer\-linux\-x64\.tar\.gz.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*StorageExplorer-windows-x64.exe*",".{0,1000}StorageExplorer\-windows\-x64\.exe.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
Loading

0 comments on commit eb2a7c7

Please sign in to comment.