security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #5597 from @nasbench - Archive new rule references and update cache file

Browse Source 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2025-08-29 10:31:14 +02:00
committed by GitHub
parent fe5e698723
commit 1751ef8673
2 changed files with 481 additions and 478 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/latest_archiver_output.md
+465 -478
View File
@@ -1,6 +1,6 @@
# Reference Archiver Results
Last Execution: 2025-08-01 02:18:21
Last Execution: 2025-08-15 02:17:06
### Archiver Script Results
@@ -11,495 +11,482 @@ N/A
#### Already Archived References
- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
- https://nvd.nist.gov/vuln/detail/CVE-2025-30406
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692
- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
- https://github.com/huntresslabs/threat-intel/blob/3bad6b0fadfcca3ff5680923e74e39edd72f32da/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
- https://github.com/logangoins/SharpSuccessor
- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER
- https://intel.thedfirreport.com/events/view/30032
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://x.com/_st0pp3r_/status/1742203752361128162?s=20
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
- https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html
- https://github.com/FalconForceTeam/FalconFriday/blob/a9219dfcfd89836f34660223f47d766982bdce46/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md
- https://redcanary.com/blog/msix-installers/
- https://github.com/CICADA8-Research/RemoteKrbRelay
- https://hijacklibs.net/entries/3rd_party/oracle/jli.html
- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF
- https://research.eye.security/sharepoint-under-siege/
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
- https://cloud.google.com/access-context-manager/docs/audit-logging
- https://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
#### Error While Archiving References
- https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray
- https://manual.cs50.io/2/personality
- https://github.com/vari-sh/RedTeamGrimoire/tree/b5e7635d34db6e1f0398d8847e8f293186e947c5/HollowReaper
- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
- https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
- https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://www.loobins.io/binaries/nscurl/
- https://unit42.paloaltonetworks.com/chromeloader-malware/
- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/
- https://www.linkedin.com/posts/mauricefielenbach_sharepoint-incidentresponse-windowssecurity-activity-7352653907363303425-bL2f
- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
- https://x.com/cyb3rops/status/1862406110365245506
- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://objective-see.org/blog/blog_0x6D.html
- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
- https://www.cve.org/CVERecord?id=CVE-2024-1709
- https://www.cisa.gov/stopransomware/ransomware-guide
- https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
- https://cert.gov.ua/article/6284080
- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure
- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder
- https://github.com/logangoins/Krueger/tree/main
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
- https://pentestlab.blog/2022/03/21/unconstrained-delegation/
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
- https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/
- https://redcanary.com/blog/threat-detection/process-masquerading/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
- https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16
- https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
- https://intel.thedfirreport.com/eventReports/view/70
- https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc
- https://gtfobins.github.io/gtfobins/gawk/#shell
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
- https://gtfobins.github.io/gtfobins/curl/
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/
- https://adsecurity.org/?p=1785
- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
- https://tria.ge/240226-fhbe7sdc39/behavioral1
- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
- https://medium.com/system-weakness/detecting-as-rep-roasting-attacks-b5b3965f9714
- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
- https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
- https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
- https://man7.org/linux/man-pages/man2/mknod.2.html
- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
- https://intel.thedfirreport.com/eventReports/view/57
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
- https://twitter.com/Kostastsale/status/1480716528421011458
- https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
- https://www.youtube.com/watch?v=uSYvHUVU8xY
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
- https://www.giac.org/paper/gcih/266/review-ftp-protocol-cyber-defense-initiative/102802
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
- https://www.loobins.io/binaries/pbpaste/
- https://ss64.com/osx/sw_vers.html
- https://www.huntress.com/blog/attacking-mssql-servers
- https://github.com/varwara/CVE-2024-35250
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://www.softperfect.com/products/networkscanner/
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- https://www.joesandbox.com/analysis/1467354/0/html
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
- https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://web.archive.org/web/20231210115125/http://www.xuetr.com/
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
- https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
- https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
- https://x.com/Threatlabz/status/1879956781360976155
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
- https://manpages.debian.org/unstable/ecasound/ecasound.1.en.html
- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
- https://blu.org/mhonarc/discuss/2001/04/msg00285.php
- https://man7.org/linux/man-pages/man1/dmesg.1.html
- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
- https://asec.ahnlab.com/en/40263/
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef
- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
- https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b
- https://bazaar.abuse.ch/browse/tag/one/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md
- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732
- https://unicornofhunt.com/2025/05/22/When-Unicorns-Go-Quiet-BITS-Jobs-and-the-Art-of-Stealthy-Transfers/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
- https://github.com/CICADA8-Research/RemoteKrbRelay
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
- https://x.com/Max_Mal_/status/1826179497084739829
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
- https://www.loobins.io/binaries/launchctl/
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country
- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
- https://github.com/grayhatkiller/SharpExShell
- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
- https://docs.oracle.com/cd/E19683-01/816-4883/6mb2joatd/index.html
- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/
- https://man7.org/linux/man-pages/man2/personality.2.html
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
- https://tria.ge/231212-r1bpgaefar/behavioral2
- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
- https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/
- https://x.com/_st0pp3r_/status/1742203752361128162?s=20
- https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
- https://news.ycombinator.com/item?id=29504755
- https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
- https://learn.microsoft.com/en-us/windows/win32/shell/launch
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
- https://tria.ge/241231-j9yatstqbm/behavioral1
- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091
- https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt
- https://tria.ge/240521-ynezpagf56/behavioral1
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/
- https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
- https://x.com/Wietze/status/1933495426952421843
- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
- https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
- https://github.com/clearvector/lambda-spy
- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack
- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038
- https://man7.org/linux/man-pages/man2/sysinfo.2.html
- https://github.com/c3c/ADExplorerSnapshot.py
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/
- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
- https://www.loobins.io/binaries/xattr/
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
- https://nvd.nist.gov/vuln/detail/CVE-2025-2825
- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/
- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
- https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel
- https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml
- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/
- https://paper.seebug.org/1495/
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://man7.org/linux/man-pages/man2/syslog.2.html
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
- https://www.huntress.com/blog/the-unwanted-guest
- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
- https://docs.microsoft.com/en-us/sql/tools/bcp-utility
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
- https://github.com/0xthirteen/SharpMove/
- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
- https://github.com/splunk/security_content/blob/88d689fe8a055d8284337b9fad5d9152b42043db/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
- https://research.eye.security/sharepoint-under-siege/
- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
- https://tria.ge/231023-lpw85she57/behavioral2
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
- https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting
- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
- https://megatools.megous.com/
- https://ngrok.com/blog-post/new-ngrok-domains
- https://projectdiscovery.io/blog/crushftp-authentication-bypass
- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
- https://cloud.google.com/access-context-manager/docs/audit-logging
- https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
- https://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md
- https://tria.ge/220422-1pw1pscfdl/
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration
- https://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger
- https://blog.talosintelligence.com/uat-5647-romcom/
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
- https://gtfobins.github.io/gtfobins/curl/
- https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
- https://x.com/Wietze/status/1933495426952421843
- https://tria.ge/231212-r1bpgaefar/behavioral2
- https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority
- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/
- https://ipurple.team/2024/07/15/sharphound-detection/
- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector
- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
- https://tria.ge/240226-fhbe7sdc39/behavioral1
- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b
- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/
- https://web.archive.org/web/20231210115125/http://www.xuetr.com/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
- https://x.com/cyberfeeddigest/status/1887041526397587859
- https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://www.cve.org/CVERecord?id=CVE-2024-1709
- https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
- https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
- https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16
- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178
- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
- https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
- https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49144
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval
- https://blog.talosintelligence.com/uat-5647-romcom/
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
- https://intel.thedfirreport.com/eventReports/view/70
- https://www.softperfect.com/products/networkscanner/
- https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8
- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
- https://nvd.nist.gov/vuln/detail/CVE-2025-2825
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
- https://twitter.com/standa_t/status/1808868985678803222
- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
- https://ss64.com/nt/set.html
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://www.anyviewer.com/help/remote-technical-support.html
- https://man7.org/linux/man-pages/man2/syslog.2.html
- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
- https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
- https://github.com/splunk/security_content/blob/88d689fe8a055d8284337b9fad5d9152b42043db/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://www.joesandbox.com/analysis/1467354/0/html
- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
- https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt
- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet
- https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/
- https://x.com/NullSecurityX/status/1937444064867029179
- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
- https://taggart-tech.com/evildeno/
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
- https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
- https://paper.seebug.org/1495/
- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
- https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
- https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
- https://github.com/varwara/CVE-2024-35250
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
- https://github.com/nasbench/Misc-Research/blob/fc46f6da34ff7e0076da28fd3e66d6e1100f1c2f/ETW/Microsoft-Windows-SMBClient.md
- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country
- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/
- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
- https://www.youtube.com/watch?v=uSYvHUVU8xY
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://intel.thedfirreport.com/eventReports/view/57
- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
- https://www.fortiguard.com/psirt/FG-IR-22-398
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
- https://x.com/Threatlabz/status/1879956781360976155
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
- https://objective-see.org/blog/blog_0x6D.html
- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
- https://github.com/vari-sh/RedTeamGrimoire/tree/b5e7635d34db6e1f0398d8847e8f293186e947c5/HollowReaper
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
- https://www.loobins.io/binaries/nscurl/
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
- https://securelist.com/apt41-in-africa/116986/
- https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
- https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
- https://x.com/Max_Mal_/status/1826179497084739829
- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://bazaar.abuse.ch/browse/tag/one/
- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
- https://twitter.com/th3_protoCOL/status/1536788652889497600
- https://www.linkedin.com/posts/mauricefielenbach_sharepoint-incidentresponse-windowssecurity-activity-7352653907363303425-bL2f
- https://localtonet.com/documents/supported-tunnels
- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
- https://www.huntress.com/blog/attacking-mssql-servers
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml
- https://www.spamhaus.org/reputation-statistics/cctlds/domains/
- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
- https://www.giac.org/paper/gcih/266/review-ftp-protocol-cyber-defense-initiative/102802
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://redcanary.com/blog/threat-detection/process-masquerading/
- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/
- https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
- https://docs.oracle.com/cd/E19683-01/816-4883/6mb2joatd/index.html
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
- https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
- https://man7.org/linux/man-pages/man2/sysinfo.2.html
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
- https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
- https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes
- https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/
- https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png
- https://unit42.paloaltonetworks.com/chromeloader-malware/
- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
- https://medium.com/system-weakness/detecting-as-rep-roasting-attacks-b5b3965f9714
- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
- https://www.loobins.io/binaries/launchctl/
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
- https://labs.nettitude.com/blog/introducing-sharpwsus/
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
- https://tria.ge/241231-j9yatstqbm/behavioral1
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
- https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/
- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
- https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion
- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
- https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
- https://ipurple.team/2024/07/15/sharphound-detection/
- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
- https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval
- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
- https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
- https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
- https://x.com/cyberfeeddigest/status/1887041526397587859
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
- https://www.anyviewer.com/help/remote-technical-support.html
- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
- https://tria.ge/240731-jh4crsycnb/behavioral2
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
- https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
- https://localtonet.com/documents/supported-tunnels
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
- https://labs.nettitude.com/blog/introducing-sharpwsus/
- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
- https://mrd0x.com/filefix-clickfix-alternative/
- https://www.spamhaus.org/reputation-statistics/cctlds/domains/
- https://twitter.com/th3_protoCOL/status/1536788652889497600
- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF
- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/
- https://gtfobins.github.io/gtfobins/rsync/#shell
- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt
- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- https://www.group-ib.com/blog/apt41-world-tour-2021/
- https://github.com/FalconForceTeam/FalconFriday/blob/a9219dfcfd89836f34660223f47d766982bdce46/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://github.com/nasbench/Misc-Research/blob/fc46f6da34ff7e0076da28fd3e66d6e1100f1c2f/ETW/Microsoft-Windows-SMBClient.md
- https://taggart-tech.com/evildeno/
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
- https://blog.sekoia.io/scattered-spider-laying-new-eggs/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1
- https://github.com/redcanaryco/atomic-red-team/blob/c4097dc7ed14d7f7d08c89d148c4307097e8c294/atomics/T1486/T1486.md
- https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://gtfobins.github.io/gtfobins/gcc/#shell
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423
- https://www.fortiguard.com/psirt/FG-IR-22-398
- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
- https://github.com/rapid7/metasploit-framework/issues/11337
- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
- https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
- https://tria.ge/240521-ynezpagf56/behavioral1
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
- https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
- https://x.com/NullSecurityX/status/1937444064867029179
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://twitter.com/standa_t/status/1808868985678803222
- https://cert.gov.ua/article/6277849
- https://ss64.com/nt/set.html
- https://www.group-ib.com/resources/threat-research/red-curl-2.html
- https://gtfobins.github.io/gtfobins/capsh/#shell
- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
- https://redcanary.com/blog/msix-installers/
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49144
- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
- https://github.com/rtecCyberSec/BitlockMove
- https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet
- https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://www.cisa.gov/stopransomware/ransomware-guide
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://adsecurity.org/?p=1785
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
- https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
- https://github.com/clearvector/lambda-spy
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://github.com/grayhatkiller/SharpExShell
- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt
- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
- https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
- https://manpages.debian.org/unstable/ecasound/ecasound.1.en.html
- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
- https://projectdiscovery.io/blog/crushftp-authentication-bypass
- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
- https://gtfobins.github.io/gtfobins/gcc/#shell
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
- https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
- https://x.com/cyb3rops/status/1862406110365245506
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://github.com/logangoins/Krueger/tree/main
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
- https://www.group-ib.com/resources/threat-research/red-curl-2.html
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
- https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://www.huntress.com/blog/the-unwanted-guest
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
- https://www.group-ib.com/blog/apt41-world-tour-2021/
- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
- https://docs.microsoft.com/en-us/sql/tools/bcp-utility
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934
- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
- https://unicornofhunt.com/2025/05/22/When-Unicorns-Go-Quiet-BITS-Jobs-and-the-Art-of-Stealthy-Transfers/
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
- https://twitter.com/Kostastsale/status/1480716528421011458
- https://github.com/rtecCyberSec/BitlockMove
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661
- https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
- https://blog.sekoia.io/scattered-spider-laying-new-eggs/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
- https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc
- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
- https://ss64.com/osx/sw_vers.html
- https://ngrok.com/blog-post/new-ngrok-domains
- https://asec.ahnlab.com/en/40263/
- https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install
- https://cert.gov.ua/article/6284080
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior
- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/
- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
- https://blu.org/mhonarc/discuss/2001/04/msg00285.php
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
- https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows
- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
- https://tria.ge/220422-1pw1pscfdl/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
- https://tria.ge/231023-lpw85she57/behavioral2
- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef
- https://mrd0x.com/filefix-clickfix-alternative/
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration
- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
- https://gtfobins.github.io/gtfobins/capsh/#shell
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
- https://learn.microsoft.com/en-us/windows/win32/shell/launch
- https://man7.org/linux/man-pages/man2/mknod.2.html
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://github.com/rapid7/metasploit-framework/issues/11337
- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
- https://gtfobins.github.io/gtfobins/gawk/#shell
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
- https://github.com/redcanaryco/atomic-red-team/blob/c4097dc7ed14d7f7d08c89d148c4307097e8c294/atomics/T1486/T1486.md
- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
- https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
- https://cert.gov.ua/article/6277849
- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022
- https://github.com/0xthirteen/SharpMove/
- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect
- https://manual.cs50.io/2/personality
- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
- https://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md
- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://man7.org/linux/man-pages/man1/dmesg.1.html
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
- https://pentestlab.blog/2022/03/21/unconstrained-delegation/
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
- https://gtfobins.github.io/gtfobins/rsync/#shell
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
- https://news.ycombinator.com/item?id=29504755
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- https://www.loobins.io/binaries/xattr/
- https://man7.org/linux/man-pages/man2/personality.2.html
- https://www.loobins.io/binaries/pbpaste/
- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
tests/rule-references.txt
+16
View File
@@ -4133,3 +4133,19 @@ https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.
https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER
https://intel.thedfirreport.com/events/view/30032
https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
https://x.com/_st0pp3r_/status/1742203752361128162?s=20
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html
https://github.com/FalconForceTeam/FalconFriday/blob/a9219dfcfd89836f34660223f47d766982bdce46/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md
https://redcanary.com/blog/msix-installers/
https://github.com/CICADA8-Research/RemoteKrbRelay
https://hijacklibs.net/entries/3rd_party/oracle/jli.html
https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF
https://research.eye.security/sharepoint-under-siege/
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
https://cloud.google.com/access-context-manager/docs/audit-logging
https://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel
https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html