October 2024 updates

October 2024 updates

• 145 tools added, plus multiple existing tools updated.
• 57774 detection patterns
• Additional Threat Groups associations using the TI reports database / and many thanks to @BushidoUK cti projects

In progress:

• Automated recuperation of hashes from github releases of each tool as soon as they are released
  • combination with another project to automatically compile and upload to virustotal some critical tools selected with the metadata_severity_score
• reorganization of tags
• reorganization of lookups (thinking about lookup with hash / without hash / without tags... open to suggestion)

links

• WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
• ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
• ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
• Yara Rules Github repo: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
• Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists

new keyword detection patterns added for the following tools :

• 4shared.com
• ADFSDump
• ADPassHunt
• ADSyncDecrypt
• Acunetix Web Vulnerability Scanner
• Adzok
• Argus
• Avast
• BadPotato
• BetterSafetyKatz
• BrowserSnatch
• Cable
• Certify
• CheckPort
• Checkmate
• ChromeCookiesView
• Cmdkey
• DNS-Hijacking
• Dataplicity
• Decrypt-RDCMan
• DecryptRDCManager
• Dirty-Vanity
• EarthWorm
• Eventlogedit-evt--General
• Eventlogedit-evtx--Evolution
• ForgeCert
• FruityC2
• GMSAPasswordReader
• GlobalUnProtect
• GodPotato
• Imminent-Monitor
• Inveigh
• Invoke-RDPThief
• JuicyPotato
• KeeTheft
• KrbRelay
• KrbRelay-SMBServer
• KrbRelayUp
• LAPSToolkit
• LsassReflectDumping
• MSSprinkler
• MozillaCookiesView
• NamelessC2
• NetSess
• NetworkServiceExploit
• NoPowerShell
• PSAttack
• PWDumpX
• PassTheCert
• PortQry
• Poshito
• PowerShellRunner
• PowerUpSQL
• PowerView
• Prince-Ransomware
• PrintSpoofer
• PrivExchange
• Procdump
• PwDump7
• PwDump8
• RottenPotatoNG
• Rubeus
• RunasCs
• Rust Localtunnels
• RustiveDump
• SCMUACBypass
• SMBTrap
• Seatbelt
• ShadowSpray
• SharpChrome
• SharpDPAPI
• SharpEfsPotato
• SharpGPOAbuse
• SharpGpo
• SharpHound
• SharpKatz
• SharpLAPS
• SharpMove
• SharpOxidResolver
• SharpPack
• SharpRDP
• SharpSCCM
• SharpSQL
• SharpUp
• SharpView
• Sharpmad
• SigmaPotato
• SimpleBackdoorAdmin
• Smbtouch-Scanner
• Termite
• Trellonet
• WCE
• Whisker
• adfsbrute
• arp
• atnow
• attrib
• btunnel
• burrow
• certoc
• cobaltstrike
• creddump7
• csexec
• dir
• dropbear
• easyupload.io
• echo
• emkei.cz
• fgdump
• find
• findstr
• hak5 cloudc2
• htran
• libprocesshider
• ln
• localtunnels
• localxpose
• lslsass
• ms-appinstaller
• net
• powershell
• precompiled-binaries
• pretender
• pslist
• psobf
• putty
• pwnlook
• quarkspwdump
• rdp
• reg
• resocks
• sc
• shootback
• smbscan
• sshdoor
• stunnel
• tmate
• tun2socks
• unset
• w32times
• wevtutil
• winPEAS
• winexe
• wso-webshell
• xspy

⚠️ **Details of added + updated tools Full Changelog: v1.0.5...v1.0.6

New contribution

• @mf1d3l made their first contribution in #25

• • Update README.md by @mf1d3l in #25

August 2024 updates

August 2024 updates

• 137 new tools added, plus multiple existing tools updated.
• 53907 detection patterns
• Updated the README with MITRE coverage (completed) and tools detection matrix (coming soon).
• Significant updates to MITRE techniques and tactics.
• More Threat actor group names associated with all relevant tools using the ransomware tool matrix and MITRE groups page
• The new metadata_tags column has been expanded with multiple tags. As the lookup grows rapidly (including hash values for tools), additional artifact identification is becoming essential. In this version, new tags for #filehash and #GUIDproject are fully populated . Other tags, such as #Avsignature, #email, #namedpipe, #base64, #registry, #productname, #companyname, and #servicename, are still in progress but are steadily being updated.
• small correction of a subfolder name in the tools folder

In progress:

• Automated recuperation of hashes from github releases of each tool as soon as they are released
  • combination with another project to automatically compile and upload to virustotal some critical tools selected with the metadata_severity_score
• tool matrix enhancements
• new tags in the metadata_tags column

links

• WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
• ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
• ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
• Yara Rules Github repo: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
• Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists

new keyword detection patterns added for the following tools :

• 1ty.me
• Arduino Pro Micro
• AsyncRAT-C-Sharp
• Atera
• BITSInject
• BadRentdrv2
• BloodHound
• Burntcigar KillAV
• C3
• Cactus WHID
• ChaiLdr
• ComodoRMM (Itarian RMM)
• Digispark Attiny85
• DirtyCLR
• EHORUS RMM
• ExtPassword.exe
• Fynloski Backdoor
• Gato-X
• GoAWSConsoleSpray
• Hak5 BashBunny
• Hak5 Lan turtle
• Hak5 O.MG Cable
• Hak5 Rubber Ducky
• Hak5 Screen Crab
• Hak5 Wifi Pineapple
• Invoke-Maldaptive
• Invoke-SocksProxy
• KeeFarce
• Lansweeper
• LostMyPassword
• MEGAcmd
• Maestro
• MailPassView
• NamedPipeMaster
• Nordic NRF52840
• OperaPassView
• PCHunter
• POC
• PS2EXE
• PowerLess
• PrintSpoofer
• PrivFu
• RDP Recognizer
• ROADtoken
• RouterPassView
• RouterScan
• Rust-Malware-Samples
• SCCMSecrets
• Sandman
• SecretServerSecretStealer
• ShareAudit
• SharpDump
• ShellGen
• ShimMe
• Shwmae
• SirepRAT
• SniffPass
• SpoolFool
• TDSKiller
• Taskmgr
• Telemetry
• TimeException
• TinyMet
• TokenFinder
• TrickDump
• TrueSocks
• Universal Virus Sniffer
• VNCPassView
• WSMan-WinRM
• WindowsDowndate
• ZeroHVCI
• _
• adfind
• aircrack
• arp
• asleap
• attrib
• autoNTDS
• bcdedit
• bcedit
• canisrufus
• chashell
• defender-control
• del
• dnskire
• dnspot
• dropmefiles.com
• dsregcmd
• echo
• eraser
• fex.net
• fleetdeck
• fleetdm
• gsecdump
• hackshell
• hookchain
• http.server
• jecretz
• keywa7
• knowsmore
• metasploit
• mimikatz
• net
• netsh
• nps
• nsocks
• oset
• pingcastle
• powershell
• premiumize.me
• privnote.com
• processhacker
• put.io
• qaz.im
• qaz.is
• qaz.su
• quiet-riot
• reg
• rmdir
• rs-shell
• rsocks
• sc
• schtasks
• secretsdump
• share.riseup.net
• sharphound
• shellsilo
• socat
• ssh
• sshamble
• systeminfo
• taskkill
• tasklist
• tor
• ufile.io
• wevtutil
• wmic

⚠️ **Details of added + updated tools Full Changelog: v1.0.4...v1.0.5

ThreatHunting-Keywords

July 2024 updates

• 74 tools added + multiple tools updated
• 45917 detection patterns
• updated README
• A new column named metadata_tags was added to include multiple tags for identifying specific artifacts, such as #filehash, #namedpipe, #registry, #GUIDproject, etc. This will help avoid creating new columns or mixing them into the comment column (work in progress).

links

• WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
• ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
• ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
• Yara Rules Github repo: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
• Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists

keyword detection patterns added for the following tools :

• ADAPE-Script
• Aoyama
• Arbitrium-RAT
• Ask4Creds
• BackHAck
• BarracudaRMM
• BlackShades
• Cam-Hackers
• CheckSMBSigning
• ComodoRMM
• CursedChrome
• DeadPotato
• EDRPrison
• Gecko
• Godzilla
• IHxExec
• Invoke-GrabTheHash
• Invoke-PowerIncrease
• Invoke-RunAsSystem
• Invoke-s4u2self
• Kematian Stealer
• KeyCredentialLink
• Lime-RAT
• Moriarty
• Necro-Stealer
• Openssh
• PEASS-ng
• POC
• PassSpray
• Powerlurk
• PredatorTheStealer
• ProtectMyTooling
• Psnmap
• SessionExec
• SharpIncrease
• SharpVeeamDecryptor
• SoftEtherVPN
• SomalifuscatorV2
• SystemBC
• TGT_Monitor
• Token-Impersonation
• WSAAcceptBackdoor
• WinSCP
• blackvision
• certutil
• dir
• dirdevil
• esxcli
• filetransfer.io
• gmer
• hackforums.net
• icacls
• impacket
• mshta
• net
• openssh-portable
• panix
• paste.ee
• plink
• powershell
• printspoofer
• ransomware_notes
• reg
• saycheese
• sc
• schtasks
• sgn
• shutter
• specula
• ssh
• taskkill
• vncviewer
• win-brute-logon
• wmic

⚠️ Details of added + updated tools Full Changelog: v1.0.3...v1.0.4

ThreatHunting-Keywords

June 2024 updates

• 97 tools added + multiple tools updated
• 43126 detection patterns
• WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
• Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
• Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
• Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists

Added:

• Alpemix
• AmperageKit
• AnyplaceControl
• anyviewer
• atexec-pro
• AutoHotkey
• auvik
• AV_Evasion_Tool
• AVKiller
• aweray
• Azure Storage Explorer
• chntpw
• clickjack
• comsvcs.dll
• conpass
• crowdstrike falcon
• csvde
• Ddexec
• DEDSEC-RANSOMWARE
• Disable-TamperProtection
• discord
• discord-c2
• Discord-RAT-2.0
• DriverDump
• fetch-some-proxies
• File-Tunnel
• Get-WmiObject
• GlllPowerloader
• gofile.io
• hidden-tear
• Ikeext-Privesc
• impacketremoteshell
• Invoke-ADEnum
• Invoke-DumpMDEConfig
• killProcessPOC
• level.io
• localtonet
• Lockless
• MakeMeAdmin
• MDE_Enum
• MetasploitCoop
• Microsoft Recall
• mimipy
• mythic
• net
• NetRipper
• nipe
• NoodleRAT
• NordVPN
• OshiUpload
• pcunlocker
• PewPewPew
• pico
• POC
• PowerBreach
• Powerpick
• powershell
• PWA-Phishing
• pyobfuscate
• PySQLRecon
• ransomware_notes
• RdpStrike
• rdrleakdiag
• RealBlindingEDR
• reconftw
• reg
• regsvr32
• RemoteKrbRelay
• responder
• rotateproxy
• SafetyDump
• sc
• SchTask_0x727
• ScriptBlock-Smuggling
• sdelete
• set
• ShadowStealer
• SharpAppLocker
• SharpCOM
• SharpDecryptPwd
• SharpEdge
• SharpLogger
• SharpSC
• SharpSSDP
• SharpThief
• spinningteacup
• suo5
• TotalRecall
• tsh
• tsh-go
• Tsunami
• usaupload
• VenomousSway
• VNCViewer
• Voidgate
• wmic
• XiebroC2

Details of added + updated tools Full Changelog: v1.0.2...v1.0.3

ThreatHunting-Keywords

May 2024 updates

• 72 tools added
• 39865 detection patterns
• WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
• Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
• Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
• Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists

Added:

• 1secmail.com
• AD-common-queries
• ADFSDump-PS
• AMSITrigger
• Adcheck
• AmsiBypass
• AutoIt
• BadWindowsService
• Blank-Grabber
• BlankOBF
• CLR-Injection
• DoubleDrive
• EASSniper
• GTFONow
• HTTP-Shell
• IPPrintC2
• Invoke-DNSteal
• Invoke-Stealth
• LTProxy
• Luna-Grabber
• Malware RAT collection
• Neo-reGeorg
• OSEP-Code-Snippets
• Omnispray
• PPLSystem
• PSAsyncShell
• Powershell-Scripts-for-Hackers-and-Pentesters
• Proxifier
• QuickAssist
• RITM
• RPC-Backdoor
• RedTeam_Tools_n_Stuff
• Rust-for-Malware-Development
• S-inject
• SharpBruteForceSSH
• SharpElevator
• SharpPersistSD
• SharpRODC
• ShellServe
• ShellSync
• ThievingFox
• TokenTacticsV2
• TunnelVision
• arsenal
• beeceptor.com
• btunnel.in
• dropbox
• guerrillamail
• homeway.io
• killer
• ldap queries
• localhost.run
• lolminer
• maildrop
• mega.co.nz
• myftp.biz
• myftp.org
• nbtscan
• netcat
• no_defender
• pamspy
• pinggy
• powershell
• powerview
• pwcrack-framework
• python
• r77-rootkit
• remoteit
• serveo.net
• spraycharles
• staqlab-tunnel
• temp-mail

Details of added + updated tools Full Changelog: v1.0.1...v1.0.2

ThreatHunting-Keywords

April 2024 updates

• 152 tools added/updated
• 35380 detection patterns
• WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
• Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
• Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
• Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists

Added/Updated lists:

• threathunting-keywords.csv
• offensive_tool_keyword.csv
• greyware_tool_keyword.csv
• signature_keyword.csv
• Ammyy Admin.csv
• adexplorer.csv
• boringproxy.csv
• crowbar.csv
• curl.csv
• FileZilla.csv
• duckdns.org.csv
• expose.csv
• go-http-tunnel.csv
• gost.csv
• gsocket.csv
• gt.csv
• hypertunnel.csv
• jprq.csv
• lsa-whisperer.csv
• netsh.csv
• ngrok.csv
• Portr.csv
• PyPagekite.csv
• pgrok.csv
• powershell.csv
• python.csv
• SetACL.csv
• SirTunnel.csv
• rathole.csv
• reg.csv
• remotemoe.csv
• restic.csv
• reverse-tunnel.csv
• setspn.csv
• shadowsocks.csv
• sish.csv
• softperfect networkscanner.csv
• tunnel.csv
• tunneller.csv
• tunnelmole-client.csv
• tunnelto.dev.csv
• tunwg.csv
• wget.csv
• wiretap.csv
• zrok.csv
• ASPJinjaObfuscator.csv
• BrowsingHistoryView.csv
• CelestialSpark.csv
• bpf-keylogger.csv
• curlshell.csv
• DLHell.csv
• FilelessPELoader.csv
• fuegoshell.csv
• KExecDD.csv
• impacket.csv
• kali.csv
• LDAP-Password-Hunter.csv
• LetMeowIn.csv
• NetNTLMtoSilverTicket.csv
• lsassy.csv
• metasploit.csv
• nanodump.csv
• Ouned.csv
• PILOT.csv
• Python-Rootkit.csv
• prefetch-tool.csv
• pyrdp.csv
• Shell3er.csv
• var0xshell.csv
• veeam-creds.csv
• wmiexec-pro.csv
• wraith.csv
• Amnesiac.csv
• Antivirus Signature.csv
• BeRoot.csv
• Invoke-TheHash.csv
• KPortScan.csv
• kiglogger.csv
• Lime-Crypter.csv
• merlin.csv
• PEASS.csv
• SharpEDRChecker.csv
• Venom.csv
• cat.csv
• icalcs.csv
• RemotePC.csv
• rdpwrap.csv
• regsvr32.csv
• ren.csv
• takeown.csv
• AMSI-Provider.csv
• EvilClippy.csv
• dll-hijack-by-proxying.csv
• GraphSpy.csv
• LocalShellExtParse.csv
• MacroMeter.csv
• NTMLRecon.csv
• NetshHelperBeacon.csv
• lnk2pwn.csv
• logon_backdoor.csv
• masscan.csv
• mimidogz.csv
• nishang.csv
• Offensive-Netsh-Helper.csv
• OffensiveCpp.csv
• Office-Persistence.csv
• Persistence-Accessibility-Features.csv
• persistence_demos.csv
• RID-Hijacking.csv
• SharpDllProxy.csv
• SharpGPOAbuse.csv
• ShimDB.csv
• Snaffler.csv
• rattler.csv
• spoofing-office-macro.csv
• tricky.lnk.csv
• Waitfor-Persistence.csv
• WinPirate.csv
• Windows-Crack.csv
• vbad.csv
• viperc2.csv
• xz.csv
• Ahk2Exe.csv
• adfind.csv
• adrecon.csv
• Goodsync.csv
• IObitUnlocker.csv
• meshcentral.csv
• psexec.csv
• RemCom.csv
• sc.csv
• slack.csv
• whoami.csv
• wireproxy.csv
• AzureADLateralMovement.csv
• ccmpwn.csv
• copy.csv
• crackmapexec.csv
• Defeat-Defender.csv
• DragonCastle.csv
• goWMIExec.csv
• Jasmin-Ransomware.csv
• Koppeling.csv
• NTHASH-FPC.csv
• mssqlproxy.csv
• PickleC2.csv
• poshc2.csv
• pwdump.csv
• ScheduleRunner.csv
• SharpNoPSExec.csv
• SharpSCCM.csv
• SharpWSUS.csv
• Slackor.csv
• Tchopper.csv
• scshell.csv
• WMEye.csv

Details:

Lists:

• 15,134 changes: 13,959 additions & 1,175 deletions in threathunting-keywords.csv
• 7,017 changes: 5,220 additions & 1,797 deletions in offensive_tool_keyword.csv
• 7,598 changes: 7,339 additions & 259 deletions in greyware_tool_keyword.csv

Yara rules details (https://github.com/mthcht/ThreatHunting-Keywords-yara-rules):

• 1,131 changes: 567 additions & 564 deletions 1,131 yara_rules/offensive_tool_keyword/L-N/metasploit.yara
• 10 changes: 5 additions & 5 deletions 10 yara_rules/offensive_tool_keyword/R-T/SharpWSUS.yara
• 10 changes: 5 additions & 5 deletions 10 yara_rules/offensive_tool_keyword/U-W/WMEye.yara
• 101 changes: 52 additions & 49 deletions 101 yara_rules/offensive_tool_keyword/L-N/lsassy.yara
• 105 changes: 54 additions & 51 deletions 105 yara_rules/offensive_tool_keyword/L-N/nanodump.yara
• 11 changes: 4 additions & 7 deletions 11 yara_rules/greyware_tool_keyword/A-C/Ammyy Admin.yara
• 110 changes: 110 additions & 0 deletions 110 yara_rules/greyware_tool_keyword/R-T/tunnelmole-client.yara
• 112 changes: 71 additions & 41 deletions 112 yara_rules/offensive_tool_keyword/I-K/Jasmin-Ransomware.yara
• 114 changes: 57 additions & 57 deletions 114 yara_rules/offensive_tool_keyword/L-N/nishang.yara
• 116 changes: 116 additions & 0 deletions 116 yara_rules/greyware_tool_keyword/A-C/crowbar.yara
• 119 changes: 119 additions & 0 deletions 119 yara_rules/greyware_tool_keyword/A-C/boringproxy.yara
• 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/O-Q/psexec.yara
• 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/R-T/reg.yara
• 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/U-W/whoami.yara
• 12 changes: 6 additions & 6 deletions 12 yara_rules/offensive_tool_keyword/L-N/mssqlproxy.yara
• 12 changes: 6 additions & 6 deletions 12 yara_rules/offensive_tool_keyword/R-T/Snaffler.yara
• 12 changes: 6 additions & 6 deletions 12 yara_rules/signature_keyword/A-C/Antivirus Signature.yara
• 12 changes: 9 additions & 3 deletions 12 yara_rules/greyware_tool_keyword/L-N/netsh.yara
• 122 changes: 122 additions & 0 deletions 122 yara_rules/offensive_tool_keyword/O-Q/Ouned.yara
• 125 changes: 125 additions & 0 deletions 125 yara_rules/greyware_tool_keyword/R-T/rdpwrap.yara
• 125 changes: 125 additions & 0 deletions 125 yara_rules/offensive_tool_keyword/O-Q/Python-Rootkit.yara
• 13 changes: 8 additions & 5 deletions 13 yara_rules/offensive_tool_keyword/I-K/kali.yara
• 137 changes: 137 additions & 0 deletions 137 yara_rules/greyware_tool_keyword/A-C/Ahk2Exe.yara
• 140 changes: 140 additions & 0 deletions 140 yara_rules/greyware_tool_keyword/R-T/tunwg.yara
• 146 changes: 146 additions & 0 deletions 146 yara_rules/offensive_tool_keyword/D-F/Defeat-Defender.yara
• 149 changes: 149 additions & 0 deletions 149 yara_rules/greyware_tool_keyword/E-H/go-http-tunnel.yara
• 15 changes: 9 additions & 6 deletions 15 yara_rules/offensive_tool_keyword/U-W/veeam-creds.yara
• 152 changes: 152 additions & 0 deletions 152 yara_rules/greyware_tool_keyword/O-Q/PyPagekite.yara
• 16 changes: 8 additions & 8 deletions 16 yara_rules/offensive_tool_keyword/A-C/adfind.yara
• 162 changes: 81 additions & 81 deletions 162 yara_rules/offensive_tool_keyword/A-C/Amnesiac.yara
• 164 changes: 164 additions & 0 deletions 164 yara_rules/offensive_tool_keyword/U-W/WinPirate.yara
• 167 changes: 167 additions & 0 deletions 167 yara_rules/greyware_tool_keyword/R-T/reverse-tunnel.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/greyware_tool_keyword/R-T/regsvr32.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/greyware_tool_keyword/R-T/slack.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/offensive_tool_keyword/U-W/Windows-Crack.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/Ammyy Admin.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/Amnesiac.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/BeRoot.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/Invoke-TheHash.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/Jasmin-Ransomware.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/KPortScan.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/kiglogger.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/L-N/Lime-Crypter.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/L-N/merlin.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/O-Q/PEASS.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/O-Q/Python-Rootkit.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/R-T/SharpEDRChecker.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/U-W/Venom.yara
• 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/U-W/wraith.yara
• 172 changes: 86 additions & 86 deletions 172 yara_rules/offensive_tool_keyword/L-N/NTHASH-FPC.yara
• 178 changes: 89 additions & 89 deletions 178 yara_rules/greyware_tool_keyword/R-T/RemotePC.yara
• 179 changes: 179 additions & 0 deletions 179 yara_rules/greyware_tool_keyword/I-K/jprq.yara
• 179 changes: 179 additions & 0 deletions 179 yara_rules/greyware_tool_keyword/R-T/tunneller.yara
• 18 changes: 9 additions & 9 deletions 18 yara_rules/greyware_tool_keyword/A-C/adfind.yara
• 18 changes: 9 additions & 9 deletions 18 yara_rules/offensive_tool_keyword/R-T/SharpNoPSExec.yara
• 19 changes: 11 additions & 8 deletions 19 yara_rules/greyware_tool_keyword/R-T/sc.yara
• 198 changes: 99 additions & 99 deletions 198 yara_rules/offensive_tool_keyword/A-C/crackmapexec.yara
• 2 changes: 1 addition & 1 deletion 2 yara_rules/greyware_tool_keyword/O-Q/powershell.yara
• 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/A-C/AzureADLateralMovement.yara
• 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/A-C/copy.yara
• 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/R-T/scshell.yara
• 20 changes: 10 additions & 10 deletions 20 yara_rules/offensive_tool_keyword/R-T/ScheduleRunner.yara
• 20 changes: 20 additions & 0 deletions 20 yara_rules/greyware_tool_keyword/R-T/setspn.yara
• 20 changes: 20 additions & 0 deletions 20 yara_rules/greyware_tool_keyword/U-W/wget.yara
• 21 changes: 12 additions & 9 deletions 21 yara_rules/greyware_tool_keyword/L-N/netsh.yara
• 21 changes: 21 additions & 0 deletions 21 yara_rules/greyware_tool_keyword/L-...

ThreatHunting-Keywords

February and March 2024 updates

• 144 tools updated
• 30513 detection patterns
• WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
• Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
• Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
• Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists

more details on each tool added in the next releases...

First release contributors details

Contributors

• @wikijm made their first contribution in #4
• @Ekitji made their first contribution in #9

Contributors updates since the publication

• Update README.md by @wikijm in #4
• Update th_keywords_processnames_elk.txt by @Ekitji in #9
• striped version of suspicious_http_user_agents_list.csv with only focus on non bots by @Ekitji in #10
• Update README.md by @Ekitji in #11
• Update user_agent_elk.txt by @Ekitji in #12
• Update suspicious_named_pipe_elk.txt by @Ekitji in #13
• fixed some issues with numbs and so on by @Ekitji in #14
• minor adjustments by @Ekitji in #15
• Update th_keywords_processnames_elk.txt by @Ekitji in #16
• Update user_agent_elk.txt by @Ekitji in #17
• some additions and updates by @Ekitji in #18
• Adding AnyDesk.exe previous version (file named 'previous-version') by @wikijm in #21