From 80fee4b9b9be4c110f10cf8b93f4e6d30f147efd Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:26:58 -0500 Subject: [PATCH 1/8] Add files via upload --- lookups/windows_suspicious_services.csv | 93 +++++++++++++++++++++++++ lookups/windows_suspicious_services.yml | 14 ++++ 2 files changed, 107 insertions(+) create mode 100644 lookups/windows_suspicious_services.csv create mode 100644 lookups/windows_suspicious_services.yml diff --git a/lookups/windows_suspicious_services.csv b/lookups/windows_suspicious_services.csv new file mode 100644 index 0000000000..3a2355cf28 --- /dev/null +++ b/lookups/windows_suspicious_services.csv @@ -0,0 +1,93 @@ +service_name,service_path,tool_name,tool_category,tool_type,severity,comment,reference +*mimidrv*,,mimidrv,Credential Access,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +*mimikatz*,,mimidrv,Credential Access,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +*sharpsploit*,,sharpsploit,Lateral Movement,offensive_tool,critical,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SharpSploit.csv,https://github.com/cobbr/SharpSploit/blob/c16931ddb8cd2335e0bd26feb9aaa35f449d48db/SharpSploit/LateralMovement/SCM.cs#L209 +3proxy,,3proxy,Defense Evasion,offensive_tool,medium,https://github.com/3proxy/3proxy/blob/a80bef9ecf0c0ed98ccb1a1a764f6b79a620b78f/src/stringtable.c#L14,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/_Others/3proxy.csv +AADInternals,,AADInternals,Credential Access,greyware_tools,high,A little service to steal the AD FS DKM secret,https://github.com/Gerenios/AADInternals/blob/0fa2edf5676439cd3fe7c92ed8006b63f0be9632/ADFS.ps1#L484C132-L484C144 +aswSP_ArPot1,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf +aswSP_ArPot2,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf +aswSP_ArPot3,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf +aswSP_ArPots,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf +BadWindowsService,,BadWindowsService,Privilege Escalation,offensive_tool,critical,https://github.com/eladshamir/BadWindowsService/blob/a7057720763fceaa7cbac9088d4c69b43d17a28f/BadWindowsService/ProjectInstaller.Designer.cs#L44,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/A-C/BadWindowsService.csv +BlockNewProc,,BlockNewProc,Defense Evasion,offensive_tool,critical,PoCs to block new process with Process Notify Callback method - BlockNewProc,https://github.com/daem0nc0re/VectorKernel/blob/main/BlockNewProc/README.md +BTOBTO,,smbExec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv +c3pool_miner,,xmrig,Cryptominer,greyware_tool,critical,https://github.com/C3Pool/xmrig_setup/blob/82c4e9bf7ee3c0c9cd925ede6e46e9ed4cc5f195/setup_c3pool_miner.bat#L380,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xmrig.csv +chopper,,TChopper,Lateral Movement,offensive_tool,critical,https://github.com/lawrenceamer/TChopper/blob/f7383a36af813019ebefb70803dc82a842ed9273/chopper.lpr#L237C25-L237C34,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Tchopper.csv +CorpVPN,,UacMe,Persistence,offensive_tool,critical,https://github.com/r00t-3xp10it/redpill/blob/611d39b8bff717ac84d58550dc04e1b312acb19e/bin/UacMe.ps1#L291,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/redpill.csv +CreateToken,,CreateToken,Privilege Escalation,offensive_tool,critical,PoCs to get full privileged SYSTEM token with `ZwCreateToken()` API - CreateToken,https://github.com/daem0nc0re/VectorKernel/blob/main/CreateToken/README.md +CreatSvcRpc_*,,CreateSvcRpc,Privilege Escalation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SspiUacBypass.csv +csexecsvc,,csexec,Lateral Movement,offensive_tool,critical,https://github.com/malcomvetter/CSExec/blob/d6bd3f97e66dc65ccf64d9102a33379fdb769614/csexecsvc/Program.cs#L13,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/csexec.csv +CyberGhost 6 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost 7 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost 8 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost Tunnel Client: CyberGhost-WireGuard-1,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost6Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 6\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost7Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 7\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost8Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 8\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhostTunnel$CyberGhost-WireGuard-1,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: \Program Files\CyberGhost 8\Applications\VPN\WGHelper.exe /service C:\Windows\system32\config\systemprofile\AppData\Local\CyberGhost\WGSession-1\CyberGhost-WireGuard-1.conf,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +dcrypt,,DiskCryptor,Impact,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DiskCryptor.csv +dnsproxy,,dns-proxy,Defense Evasion,offensive_tool,critical,dnsproxy service,https://github.com/AdguardTeam/dnsproxy/pull/194/files +final_seg,,TChopper,Lateral Movement,offensive_tool,critical,https://github.com/lawrenceamer/TChopper/blob/f7383a36af813019ebefb70803dc82a842ed9273/chopper.lpr#L237C25-L237C34,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Tchopper.csv +GetFullPrivs,,GetFullPrivs,Privilege Escalation,offensive_tool,critical,PoCs to get full privileges with DKOM method - GetFullPrivs,https://github.com/daem0nc0re/VectorKernel/blob/main/GetFullPrivs/README.md +GetProcHandle,,GetProcHandle,Privilege Escalation,offensive_tool,critical,PoCs to get full access process handle from kernelmode - GetProcHandle,https://github.com/daem0nc0re/VectorKernel/blob/main/GetProcHandle/README.md +GoodSync Server,,goodync,Data Exfiltration,greyware_tool,high,,https://www.goodsync.com/ +InjectLibrary,,InjectLibrary,Defense Evasion,offensive_tool,critical,PoCs to perform DLL injection with Kernel APC Injection method - InjectLibrary,https://github.com/daem0nc0re/VectorKernel/blob/main/InjectLibrary/README.md +KrbSCM,,KrbRelayUp,Privilege Escalation,offensive_tool,critical,https://github.com/Dec0ne/KrbRelayUp/blob/e919f78afbacdb2c2e86f17267674069a377011c/README.md?plain=1#L90,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/KrbRelayUp.csv +KrbSCM,,S4UTomato,Privilege Escalation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/S4UTomato.csv +MagnetRAMCapture Driver,,MAGNET RAM Capture,Credential Access,greyware_tool,critical,,https://startupstash.com/tools/magnet-ram-capture/ +maint,,impacketremoteshell,Lateral Movement,offensive_tool,high,default service name installed https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/impacketremoteshell/RemoteMaint/main.cpp#L108,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/impacketremoteshell.csv +MakeMeAdmin,,MakeMeAdmin,Privilege Escalation,offensive_tool,high,Enables users to elevate themselves to administrator-level rights https://github.com/pseymour/MakeMeAdmin/blob/18ea04be3dbc6e7cab8096558a3b02ef8f8682f6/Service/ProjectInstaller.Designer.cs#L63,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/MakeMeAdmin.csv +Meterpreter,,metasploit,C2,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv +metsvc,metsvc-server.exe,Metasploit server,Exploitation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv +ModHide,,ModHide,Defense Evasion,offensive_tool,critical,PoCs to hide loaded kernel drivers with DKOM method - ModHide,https://github.com/daem0nc0re/VectorKernel/blob/main/ModHide/README.md +Neo_VPN,*\System32\drivers\Neo6_x64_VPN.sys,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv +NoRebootSvc,NoReboot.exe,PSBits NoReboot.c,,offensive_tool,high,,https://github.com/gtworek/PSBits/blob/master/NoRebootSvc/readme.md +Npcap Packet Driver (NPCAP),,NpCap Windows Packet Capture Library & Driver,Collection,greyware_tool,low,,https://github.com/nmap/npcap +OpenSSH SSH Server,,OpenSSH Server,C2,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv +PAExec,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv +PAExec-*,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv +PCHunter*,,PCHunter,Defense Evasion,greyware_tool,medium,PCHunter service name installation - https://www.majorgeeks.com/files/details/pc_hunter.html,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PCHunter.csv +physmem2profit,,physmem2profit,Credential Access,offensive_tool,critical,https://github.com/WithSecureLabs/physmem2profit/blob/2f64133bd9931303b8ae47630835e96347e0f294/server/Plugins/WinPmem.cs#L11,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/physmem2profit.csv +PowerUpService,,PowerSploit Privesc.tests.ps1,Privilege Escalation,offensive_tool,critical,,https://github.com/PowerShellMafia/PowerSploit/blob/master/Tests/Privesc.tests.ps1 +PPLBlade,,pplblade,Defense Evasion,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PPLBlade.csv +ProcExp,,DriverDump,Persistence,offensive_tool,critical,This program configures and loads a Windows service to manage a driver https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/driverdump/DriverDump/DriverDump.c#L45,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DriverDump.csv +ProcHide,,ProcHide,Defense Evasion,offensive_tool,critical,PoCs to hide process with DKOM method - ProcHide,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcHide/README.md +ProcProtect,,ProcProtect,Defense Evasion,offensive_tool,critical,PoCs to manipulate Protected Process - ProcProtect,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcProtect/README.md +PSEXESVC,*PSEXESVC.exe*,psexec,Lateral Movement,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv +pwdump*,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/pwdump.csv +PWDumpX Service,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PWDumpX.csv +QueryModule,,QueryModule,Collection,offensive_tool,medium,PoCs to perform retrieving kernel driver loaded address information - QueryModule,https://github.com/daem0nc0re/VectorKernel/blob/main/QueryModule/README.md +RandomService,,Invoke-SMBRemoting,Lateral Movement,offensive_tool,critical,Invoke-SMBRemoting service example,https://github.com/Leo4j/Amnesiac/blob/216ba3a280bf49ea3f5b1afab80f843bbde3548d/Tools/Invoke-SMBRemoting.ps1#L33C99-L33C113 +RemCom Service,,RemCom.exe,Lateral movement,offensive_tool,critical,,https://github.com/kavika13/RemCom +REPLACE_ME_DummyServiceName,,netexec,Credential Access,offensive_tool,critical,https://github.com/Pennyw0rth/NetExec/blob/b855dac2b696ea1b744f10a0573c6b394670a5cb/nxc/data/keepass_trigger_module/RestartKeePass.ps1#L4,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NetExec.csv +Ring0NamedPipeFilter,,NamedPipeMaster,Privilege Escalation,offensive_tool,critical,https://github.com/gavz/NamedPipeMaster,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NamedPipeMaster.csv +Service_*,,PsMapExec,Lateral Movement,offensive_tool,critical,PsMapExec creating services regex detection: Service_[A-Za-z]{16},https://github.com/The-Viper-One/PsMapExec/blob/0ae7a6967c07bf3ebf555e665d4c43ce86c6addf/PsMapExec.ps1#L1488 +sesshijack,,atomic-red-team test T1563.002,Persistence,offensive_tool,high,,https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md?plain=1 +SEVPNCLIENTDEV,*\Program Files\SoftEther VPN Client Developer Edition\vpnclient.exe*,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv +Shadowsocks Local Service,,Shadowsocks,C2,greyware_tool,high,https://github.com/shadowsocks/shadowsocks-rust/blob/846752866e0b52c3d93efa2036204eadc36cc696/README.md?plain=1#L458,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/shadowsocks.csv +shadowsocks-local-service,,Shadowsocks,C2,greyware_tool,high,https://github.com/shadowsocks/shadowsocks-rust/blob/846752866e0b52c3d93efa2036204eadc36cc696/README.md?plain=1#L458,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/shadowsocks.csv +SilkService,,SilkETW,Discovery,greyware_tool,low,C# wrappers for ETW - meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection,https://github.com/mandiant/SilkETW +sliver*,,sliver,C2,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/sliver.csv +SoftEther VPN*,,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv +sshd,,OpenSSH Server,C2,greyware_tool,high,https://github.com/PowerShell/openssh-portable/blob/661803c9ec4d7dee6574eb6ff0c85b2b7006edb1/contrib/win32/openssh/install-sshd.ps1#L137C1-L138C1,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv +StealToken,,StealToken,Credential Access,offensive_tool,critical,PoCs to perform token stealing from kernelmode - StealToken,https://github.com/daem0nc0re/VectorKernel/blob/main/CreateToken/README.md +svcEasySystem,,p0wnedShell,Privilege Escalation,offensive_tool,critical,https://github.com/Cn33liz/p0wnedShell/blob/35853bcc2a184f0e0fa7b18b0e54d4ad7a985ed6/p0wnedShell/Modules/PrivEsc/p0wnedEasySystem.cs#L582C33-L582C46,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/p0wnedShell.csv +svcHighPriv,,EasySystem,Privilege Escalation,offensive_tool,critical,https://github.com/S3cur3Th1sSh1t/Creds/blob/f71e780c51fdc2fdabe4e51831fa6289b1bede96/Csharp/NamedPipeSystem.cs#L28,https://github.com/mthcht/awesome-lists +TestService,,SharpyStay default,Persistence,offensive_tool,critical,,https://github.com/antonioCoco/SharPyShell/blob/29718225791f11fd3d66dd03df4c05c414256630/modules/ps_modules/Get-System.ps1#L89 +TestSVC,,SharpyShell - Get-System.ps1 default service name,Privilege Escalation,offensive_tool,critical,,https://github.com/antonioCoco/SharPyShell/blob/29718225791f11fd3d66dd03df4c05c414256630/modules/ps_modules/Get-System.ps1#L89 +UACBypassedService,,S4UTomato & KRBUACBypass,Privilege Escalation,offensive_tool,critical,https://github.com/wh0amitz/S4UTomato/blob/c709a2997efb1b30375c5134ff57eb49ec177918/S4UTomato/lib/KrbSCM.cs#L10 - https://github.com/wh0amitz/KRBUACBypass/blob/e2ad3ff8b5810dda0b2d75442f1c67aef7e3c4c1/KRBUACBypass/lib/KrbSCM.cs#L10,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/S4UTomato.csv +VPN Client Device Driver - VPN,,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv +WCESERVICE,,wce,Lateral Movement,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/wce.csv +windows_monitoring,,social-engineer-toolkit persistence payload,Persistence,offensive_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/social-engineer-toolkit.csv +winexesvc,,winexe,Lateral Movement,greyware_tool,low,https://www.kali.org/tools/winexe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/winexe.csv +WinPwnage,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/persist/persistMethod12.py#L24,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv +WinPwnageVPN,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/uac/uacMethod13.py#L54,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv +WinRing0_*,,xmrig,Cryptomining,greyware_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xmrig.csv +wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed with the tool no_defender https://github.com/es3n1n/no-defender - subject to false positives if avast is installed,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/no_defender.csv +,*\tmp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists +,*\Temp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists +,*\Users\Public\*,suspicious path,Defense Evasions,greyware_tool,critical,suspicious paths,https://github.com/mthcht/awesome-lists +,*%COMSPEC%*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +,*cmd.exe*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +,*echo*\pipe\*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +,\\127.0.0.1\ADMIN$\*,cobaltstrike beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists \ No newline at end of file diff --git a/lookups/windows_suspicious_services.yml b/lookups/windows_suspicious_services.yml new file mode 100644 index 0000000000..cf85cbbf98 --- /dev/null +++ b/lookups/windows_suspicious_services.yml @@ -0,0 +1,14 @@ +name: windows_suspicious_services +date: 2025-02-07 +version: 1 +id: 8c214005-2b4e-49c8-bba6-747005f11296 +author: Steven Dick +lookup_type: csv +description: A list of suspicious Windows Service names and locations +default_match: false +match_type: +- WILDCARD(service_name) +- WILDCARD(service_path) +min_matches: 1 +max_matches: 1 +case_sensitive_match: false \ No newline at end of file From d82968a9efbf489cb47f5023c8c509419ceda9f6 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:27:33 -0500 Subject: [PATCH 2/8] Add files via upload --- ...e_created_with_suspicious_service_name.yml | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 detections/endpoint/windows_service_created_with_suspicious_service_name.yml diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml new file mode 100644 index 0000000000..7b1081e90f --- /dev/null +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -0,0 +1,79 @@ +name: Windows Service Created with Suspicious Service Name +id: 35eb6d19-a497-400c-93c5-645562804b11 +version: 1 +date: '2025-02-07' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment. +data_source: +- Windows Event Log System 7045 +search: |- + `wineventlog_system` EventCode=7045 + | stats values(user) as user, values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID + | eval process_name = mvindex(split(process,"\\"),-1) + | rename Computer as dest, ServiceName as object_name, ServiceType as object_type + | lookup windows_suspicious_services service_name as object_name + | where isnotnull(tool_type) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_service_created_with_suspicious_service_name_filter` +how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. +known_false_positives: Legitimate applications may install services with uncommon services paths. +references: +- https://attack.mitre.org/techniques/T1569/002/ +- https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16 +- https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ +- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_services_names_list.csv +drilldown_searches: +- name: View the detection results for - "$dest$"" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate service events on $dest$ + search: '`wineventlog_system` EventCode=7045 ServiceName = "$object_name$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A known malicious service name $object_name$ was created using $process$ on $dest$, this may indicate the presence of [$tool_name$] + risk_objects: + - field: dest + type: system + score: 75 + - field: user + type: user + score: 75 + threat_objects: + - field: process + type: file_name + - field: object_name + type: object_name +tags: + analytic_story: + - Active Directory Lateral Movement + - Brute Ratel C4 + - CISA AA23-347A + - Clop Ransomware + - Flax Typhoon + - PlugX + - Qakbot + - Snake Malware + asset_type: Endpoint + mitre_attack_id: + - T1569 + - T1569.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log + source: XmlWinEventLog:System + sourcetype: XmlWinEventLog \ No newline at end of file From 71f1b53016fc80186b3b28304ca221c3dab5386f Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:38:57 -0500 Subject: [PATCH 3/8] Update windows_suspicious_services.csv --- lookups/windows_suspicious_services.csv | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lookups/windows_suspicious_services.csv b/lookups/windows_suspicious_services.csv index 3a2355cf28..84a3912add 100644 --- a/lookups/windows_suspicious_services.csv +++ b/lookups/windows_suspicious_services.csv @@ -8,6 +8,8 @@ aswSP_ArPot1,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI aswSP_ArPot2,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf aswSP_ArPot3,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf aswSP_ArPots,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf +SecurityCenterIBM,,Cl0p Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html +WinCheckDRVs,,Cl0p Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html BadWindowsService,,BadWindowsService,Privilege Escalation,offensive_tool,critical,https://github.com/eladshamir/BadWindowsService/blob/a7057720763fceaa7cbac9088d4c69b43d17a28f/BadWindowsService/ProjectInstaller.Designer.cs#L44,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/A-C/BadWindowsService.csv BlockNewProc,,BlockNewProc,Defense Evasion,offensive_tool,critical,PoCs to block new process with Process Notify Callback method - BlockNewProc,https://github.com/daem0nc0re/VectorKernel/blob/main/BlockNewProc/README.md BTOBTO,,smbExec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv @@ -90,4 +92,4 @@ wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed wit ,*%COMSPEC%*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists ,*cmd.exe*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists ,*echo*\pipe\*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists -,\\127.0.0.1\ADMIN$\*,cobaltstrike beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists \ No newline at end of file +,\\127.0.0.1\ADMIN$\*,cobaltstrike beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists From e0bb7ec748892ffb9a4d49c924dec656a7052297 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:39:17 -0500 Subject: [PATCH 4/8] Update windows_suspicious_services.csv --- lookups/windows_suspicious_services.csv | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lookups/windows_suspicious_services.csv b/lookups/windows_suspicious_services.csv index 84a3912add..5452862c68 100644 --- a/lookups/windows_suspicious_services.csv +++ b/lookups/windows_suspicious_services.csv @@ -8,8 +8,8 @@ aswSP_ArPot1,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI aswSP_ArPot2,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf aswSP_ArPot3,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf aswSP_ArPots,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf -SecurityCenterIBM,,Cl0p Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html -WinCheckDRVs,,Cl0p Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html +SecurityCenterIBM,,Clop Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html +WinCheckDRVs,,Clop Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html BadWindowsService,,BadWindowsService,Privilege Escalation,offensive_tool,critical,https://github.com/eladshamir/BadWindowsService/blob/a7057720763fceaa7cbac9088d4c69b43d17a28f/BadWindowsService/ProjectInstaller.Designer.cs#L44,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/A-C/BadWindowsService.csv BlockNewProc,,BlockNewProc,Defense Evasion,offensive_tool,critical,PoCs to block new process with Process Notify Callback method - BlockNewProc,https://github.com/daem0nc0re/VectorKernel/blob/main/BlockNewProc/README.md BTOBTO,,smbExec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv From 658c2e6a5eb12ad8d4c1c80ae93f4f1f3f857b54 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:42:13 -0500 Subject: [PATCH 5/8] Update windows_service_created_with_suspicious_service_name.yml --- ...windows_service_created_with_suspicious_service_name.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml index 7b1081e90f..6e98bb1dde 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -49,9 +49,9 @@ rba: score: 75 threat_objects: - field: process - type: file_name + type: process - field: object_name - type: object_name + type: signature tags: analytic_story: - Active Directory Lateral Movement @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log source: XmlWinEventLog:System - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From 1946c4eeae719f12065e26919710378570e70536 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:45:27 -0500 Subject: [PATCH 6/8] Update windows_service_created_with_suspicious_service_name.yml --- .../windows_service_created_with_suspicious_service_name.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml index 6e98bb1dde..e7567eb9bf 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -14,7 +14,7 @@ search: |- | eval process_name = mvindex(split(process,"\\"),-1) | rename Computer as dest, ServiceName as object_name, ServiceType as object_type | lookup windows_suspicious_services service_name as object_name - | where isnotnull(tool_type) + | where isnotnull(tool_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_name_filter` From ae1abc50edb771bc744872c8494b7dbca6568de7 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 14 Feb 2025 09:18:30 -0500 Subject: [PATCH 7/8] Update windows_service_created_with_suspicious_service_name.yml --- .../windows_service_created_with_suspicious_service_name.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml index e7567eb9bf..5d7eb02d53 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -64,7 +64,6 @@ tags: - Snake Malware asset_type: Endpoint mitre_attack_id: - - T1569 - T1569.002 product: - Splunk Enterprise From fb4a5ea9f4bec9e9cb243b3ba575ee14f3408187 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 19 Feb 2025 15:29:33 -0500 Subject: [PATCH 8/8] Update windows_suspicious_services.csv nas comments --- lookups/windows_suspicious_services.csv | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/lookups/windows_suspicious_services.csv b/lookups/windows_suspicious_services.csv index 5452862c68..732f509268 100644 --- a/lookups/windows_suspicious_services.csv +++ b/lookups/windows_suspicious_services.csv @@ -35,7 +35,6 @@ GetProcHandle,,GetProcHandle,Privilege Escalation,offensive_tool,critical,PoCs t GoodSync Server,,goodync,Data Exfiltration,greyware_tool,high,,https://www.goodsync.com/ InjectLibrary,,InjectLibrary,Defense Evasion,offensive_tool,critical,PoCs to perform DLL injection with Kernel APC Injection method - InjectLibrary,https://github.com/daem0nc0re/VectorKernel/blob/main/InjectLibrary/README.md KrbSCM,,KrbRelayUp,Privilege Escalation,offensive_tool,critical,https://github.com/Dec0ne/KrbRelayUp/blob/e919f78afbacdb2c2e86f17267674069a377011c/README.md?plain=1#L90,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/KrbRelayUp.csv -KrbSCM,,S4UTomato,Privilege Escalation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/S4UTomato.csv MagnetRAMCapture Driver,,MAGNET RAM Capture,Credential Access,greyware_tool,critical,,https://startupstash.com/tools/magnet-ram-capture/ maint,,impacketremoteshell,Lateral Movement,offensive_tool,high,default service name installed https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/impacketremoteshell/RemoteMaint/main.cpp#L108,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/impacketremoteshell.csv MakeMeAdmin,,MakeMeAdmin,Privilege Escalation,offensive_tool,high,Enables users to elevate themselves to administrator-level rights https://github.com/pseymour/MakeMeAdmin/blob/18ea04be3dbc6e7cab8096558a3b02ef8f8682f6/Service/ProjectInstaller.Designer.cs#L63,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/MakeMeAdmin.csv @@ -45,7 +44,6 @@ ModHide,,ModHide,Defense Evasion,offensive_tool,critical,PoCs to hide loaded ker Neo_VPN,*\System32\drivers\Neo6_x64_VPN.sys,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv NoRebootSvc,NoReboot.exe,PSBits NoReboot.c,,offensive_tool,high,,https://github.com/gtworek/PSBits/blob/master/NoRebootSvc/readme.md Npcap Packet Driver (NPCAP),,NpCap Windows Packet Capture Library & Driver,Collection,greyware_tool,low,,https://github.com/nmap/npcap -OpenSSH SSH Server,,OpenSSH Server,C2,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv PAExec,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv PAExec-*,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv PCHunter*,,PCHunter,Defense Evasion,greyware_tool,medium,PCHunter service name installation - https://www.majorgeeks.com/files/details/pc_hunter.html,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PCHunter.csv @@ -55,7 +53,6 @@ PPLBlade,,pplblade,Defense Evasion,offensive_tool,critical,,https://github.com/m ProcExp,,DriverDump,Persistence,offensive_tool,critical,This program configures and loads a Windows service to manage a driver https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/driverdump/DriverDump/DriverDump.c#L45,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DriverDump.csv ProcHide,,ProcHide,Defense Evasion,offensive_tool,critical,PoCs to hide process with DKOM method - ProcHide,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcHide/README.md ProcProtect,,ProcProtect,Defense Evasion,offensive_tool,critical,PoCs to manipulate Protected Process - ProcProtect,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcProtect/README.md -PSEXESVC,*PSEXESVC.exe*,psexec,Lateral Movement,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv pwdump*,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/pwdump.csv PWDumpX Service,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PWDumpX.csv QueryModule,,QueryModule,Collection,offensive_tool,medium,PoCs to perform retrieving kernel driver loaded address information - QueryModule,https://github.com/daem0nc0re/VectorKernel/blob/main/QueryModule/README.md @@ -71,7 +68,6 @@ shadowsocks-local-service,,Shadowsocks,C2,greyware_tool,high,https://github.com/ SilkService,,SilkETW,Discovery,greyware_tool,low,C# wrappers for ETW - meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection,https://github.com/mandiant/SilkETW sliver*,,sliver,C2,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/sliver.csv SoftEther VPN*,,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv -sshd,,OpenSSH Server,C2,greyware_tool,high,https://github.com/PowerShell/openssh-portable/blob/661803c9ec4d7dee6574eb6ff0c85b2b7006edb1/contrib/win32/openssh/install-sshd.ps1#L137C1-L138C1,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv StealToken,,StealToken,Credential Access,offensive_tool,critical,PoCs to perform token stealing from kernelmode - StealToken,https://github.com/daem0nc0re/VectorKernel/blob/main/CreateToken/README.md svcEasySystem,,p0wnedShell,Privilege Escalation,offensive_tool,critical,https://github.com/Cn33liz/p0wnedShell/blob/35853bcc2a184f0e0fa7b18b0e54d4ad7a985ed6/p0wnedShell/Modules/PrivEsc/p0wnedEasySystem.cs#L582C33-L582C46,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/p0wnedShell.csv svcHighPriv,,EasySystem,Privilege Escalation,offensive_tool,critical,https://github.com/S3cur3Th1sSh1t/Creds/blob/f71e780c51fdc2fdabe4e51831fa6289b1bede96/Csharp/NamedPipeSystem.cs#L28,https://github.com/mthcht/awesome-lists @@ -85,11 +81,4 @@ winexesvc,,winexe,Lateral Movement,greyware_tool,low,https://www.kali.org/tools/ WinPwnage,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/persist/persistMethod12.py#L24,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv WinPwnageVPN,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/uac/uacMethod13.py#L54,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv WinRing0_*,,xmrig,Cryptomining,greyware_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xmrig.csv -wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed with the tool no_defender https://github.com/es3n1n/no-defender - subject to false positives if avast is installed,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/no_defender.csv -,*\tmp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists -,*\Temp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists -,*\Users\Public\*,suspicious path,Defense Evasions,greyware_tool,critical,suspicious paths,https://github.com/mthcht/awesome-lists -,*%COMSPEC%*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists -,*cmd.exe*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists -,*echo*\pipe\*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists -,\\127.0.0.1\ADMIN$\*,cobaltstrike beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed with the tool no_defender https://github.com/es3n1n/no-defender - subject to false positives if avast is installed,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/no_defender.csv