security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac

Browse Source 
update: GALLIUM IOCs - remove custom dedicated hash fields
update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
update: HackTool Named File Stream Created - remove custom dedicated hash fields
update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
update: PUA - System Informer Driver Load - remove custom dedicated hash fields
update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
update: WinDivert Driver Load - remove custom dedicated hash fields
update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
update: Hacktool Execution - Imphash - remove custom dedicated hash fields
update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
update: HackTool - Impersonate Execution - remove custom dedicated hash fields
update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
update: HackTool - PCHunter Execution - remove custom dedicated hash fields
update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
update: MpiExec Lolbin - remove custom dedicated hash fields
update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Nimgrab Execution - remove custom dedicated hash fields
update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Process Hacker Execution - remove custom dedicated hash fields
update: PUA - System Informer Execution - remove custom dedicated hash fields
update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
update: Renamed AdFind Execution - remove custom dedicated hash fields
update: Renamed AutoIt Execution - remove custom dedicated hash fields
update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
update: Renamed PAExec Execution - remove custom dedicated hash fields
update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
frack113
2024-11-25 09:30:14 +01:00
committed by GitHub
parent d0e4e78f7a
commit d804e9cba1
45 changed files with 380 additions and 885 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deprecated/windows/driver_load_win_mal_poortry_driver.yml
-22
View File
@@ -42,28 +42,6 @@ detection:
- 'MD5=0f16a43f7989034641fd2de3eb268bf1'
- 'MD5=ee6b1a79cb6641aa44c762ee90786fe0'
- 'MD5=909f3fc221acbe999483c87d9ead024a'
selection_hash:
- sha256:
- '0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'
- '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'
- '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104'
- 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'
- '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4'
- 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497'
- sha1:
- '31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'
- 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d'
- '6debce728bcff73d9d1d334df0c6b1c3735e295c'
- 'cc65bf60600b64feece5575f21ab89e03a728332'
- '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e'
- 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98'
- md5:
- '10f3679384a03cb487bda9621ceb5f90'
- '04a88f5974caa621cee18f34300fc08a'
- '6fcf56f6ca3210ec397e55f727353c4a'
- '0f16a43f7989034641fd2de3eb268bf1'
- 'ee6b1a79cb6641aa44c762ee90786fe0'
- '909f3fc221acbe999483c87d9ead024a'
condition: 1 of selection*
falsepositives:
- Legitimate BIOS driver updates (should be rare)
deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml
+1 -5
View File
@@ -19,16 +19,12 @@ detection:
- 'MD5=a179c4093d05a3e1ee73f6ff07f994aa'
- 'SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'
- 'SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'
selection_other:
- md5: 'a179c4093d05a3e1ee73f6ff07f994aa'
- sha1: '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'
- sha256: '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'
driver_img:
ImageLoaded|endswith: '\aswArPot.sys'
driver_status:
- Signed: 'false'
- SignatureStatus: Expired
condition: 1 of selection* or all of driver_*
condition: selection_sysmon or all of driver_*
falsepositives:
- Unknown
level: high
deprecated/windows/driver_load_win_vuln_dell_driver.yml
-10
View File
@@ -26,16 +26,6 @@ detection:
- 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25'
- 'MD5=C996D7971C49252C582171D9380360F2'
- 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244'
selection_hash:
- sha256:
- '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
- 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
- sha1:
- 'c948ae14761095e4d76b55d9de86412258be7afd'
- '10b30bdee43b3a2ec4aa63375577ade650269d25'
- md5:
- 'c996d7971c49252c582171d9380360f2'
- 'd2fd132ab7bbc6bbb87a84f026fa0244'
condition: 1 of selection*
falsepositives:
- Legitimate BIOS driver updates (should be rare)
deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml
+2 -12
View File
@@ -18,7 +18,7 @@ logsource:
product: windows
category: driver_load
detection:
selection_sysmon:
selection:
Hashes|contains:
- 'MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3'
- 'MD5=C832A4313FF082258240B61B88EFA025'
@@ -26,17 +26,7 @@ detection:
- 'SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46'
- 'SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427'
- 'SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B'
selection_other:
- md5:
- '9ab9f3b75a2eb87fafb1b7361be9dfb3'
- 'c832a4313ff082258240b61b88efa025'
- sha1:
- 'fe10018af723986db50701c8532df5ed98b17c39'
- '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46'
- sha256:
- '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427'
- 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'
condition: 1 of selection*
condition: selection
falsepositives:
- Unknown
level: high
deprecated/windows/driver_load_win_vuln_hw_driver.yml
-13
View File
@@ -28,19 +28,6 @@ detection:
- 'MD5=3247014BA35D406475311A2EAB0C4657'
- 'MD5=376B1E8957227A3639EC1482900D9B97'
- 'MD5=45C2D133D41D2732F3653ED615A745C8'
selection_other:
- sha256:
- '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8'
- '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa'
- '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5'
- sha1:
- '74e4e3006b644392f5fcea4a9bae1d9d84714b57'
- '18f34a0005e82a9a1556ba40b997b0eae554d5fd'
- '4e56e0b1d12664c05615c69697a2f5c5d893058a'
- md5:
- '3247014ba35d406475311a2eab0c4657'
- '376b1e8957227a3639ec1482900d9b97'
- '45c2d133d41d2732f3653ed615a745c8'
condition: 1 of selection*
falsepositives:
- Unknown
deprecated/windows/driver_load_win_vuln_lenovo_driver.yml
+2 -6
View File
@@ -16,16 +16,12 @@ logsource:
category: driver_load
product: windows
detection:
selection_sysmon:
selection:
Hashes|contains:
- 'SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE'
- 'SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F'
- 'MD5=B941C8364308990EE4CC6EADF7214E0F'
selection_hash:
- sha256: 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe'
- sha1: 'b89a8eef5aeae806af5ba212a8068845cafdab6f'
- md5: 'b941c8364308990ee4cc6eadf7214e0f'
condition: 1 of selection*
condition: selection
falsepositives:
- Legitimate driver loads (old driver that didn't receive an update)
level: high
deprecated/windows/proc_creation_win_apt_gallium.yml
+1 -1
View File
@@ -25,7 +25,7 @@ detection:
- ':\Program Files(x86)\'
- ':\Program Files\'
legitimate_executable:
sha1: 'e570585edc69f9074cb5e8a790708336bd45ca0f'
Hashes|contains: 'SHA1=e570585edc69f9074cb5e8a790708336bd45ca0f'
condition: legitimate_executable and not legitimate_process_path
falsepositives:
- Unknown
deprecated/windows/proc_creation_win_renamed_paexec.yml
-5
View File
@@ -21,11 +21,6 @@ logsource:
detection:
selection:
- Product|contains: 'PAExec'
- Imphash:
- 11D40A7B7876288F919AB819CC2D9802
- 6444f8a34e99b8f7d9647de66aabe516
- dfd6aa3f7b2b1035b76b718f1ddc689f
- 1a6cca4d5460b1710a12dea39e4a592c
- Hashes|contains:
- IMPHASH=11D40A7B7876288F919AB819CC2D9802
- IMPHASH=6444f8a34e99b8f7d9647de66aabe516
rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml
+3 -44
View File
@@ -7,7 +7,7 @@ references:
- https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml
author: Tim Burrell
date: 2020-02-07
modified: 2023-03-09
modified: 2024-11-23
tags:
- attack.credential-access
- attack.command-and-control
@@ -19,7 +19,7 @@ logsource:
product: windows
category: process_creation
detection:
selection_sysmon:
selection:
Hashes|contains:
- 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
- 'SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'
@@ -59,48 +59,7 @@ detection:
- 'SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f'
- 'SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de'
- 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
selection_hashes:
- sha256:
- '9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
- '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'
- '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5'
- '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29'
- '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77'
- 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3'
- '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022'
- '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883'
- '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e'
- '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7'
- 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1'
- '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c'
- '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945'
- '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9'
- '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79'
- '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf'
- '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08'
- '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef'
- '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070'
- sha1:
- '53a44c2396d15c3a03723fa5e5db54cafd527635'
- '9c5e496921e3bc882dc40694f1dcc3746a75db19'
- 'aeb573accfd95758550cf30bf04f389a92922844'
- '79ef78a797403a4ed1a616c68e07fff868a8650a'
- '4f6f38b4cec35e895d91c052b1f5a83d665c2196'
- '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
- 'e841a63e47361a572db9a7334af459ddca11347a'
- 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
- '2e94b305d6812a9f96e6781c888e48c7fb157b6b'
- 'dd44133716b8a241957b912fa6a02efde3ce3025'
- '8793bf166cb89eb55f0593404e4e933ab605e803'
- 'a39b57032dbb2335499a51e13470a7cd5d86b138'
- '41cc2b15c662bc001c0eb92f6cc222934f0beeea'
- 'd209430d6af54792371174e70e27dd11d3def7a7'
- '1c6452026c56efd2c94cea7e0f671eb55515edb0'
- 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
- '4923d460e22fbbf165bbbaba168e5a46b8157d9f'
- 'f201504bd96e81d0d350c3a8332593ee1c9e09de'
- 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
condition: 1 of selection_*
condition: selection
falsepositives:
- Unknown
level: high
rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml
+3 -18
View File
@@ -21,6 +21,7 @@ references:
- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-31
modified: 2024-11-23
tags:
- attack.defense-evasion
- detection.emerging-threats
@@ -28,7 +29,7 @@ logsource:
category: image_load
product: windows
detection:
selection_hashes_1:
selection:
Hashes|contains:
# ffmpeg.dll
- 'SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896'
@@ -46,23 +47,7 @@ detection:
- 'SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423'
- 'SHA1=3B3E778B647371262120A523EB873C20BB82BEAF'
- 'MD5=7FAEA2B01796B80D180399040BB69835'
selection_hashes_2:
- sha256:
- '7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896'
- '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03'
- 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952'
- '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423'
- sha1:
- 'BF939C9C261D27EE7BB92325CC588624FCA75429'
- '20D554A80D759C50D6537DD7097FED84DD258B3E'
- '894E7D4FFD764BB458809C7F0643694B036EAD30'
- '3B3E778B647371262120A523EB873C20BB82BEAF'
- md5:
- '74BC2D0B6680FAA1A5A76B27E5479CBC'
- '82187AD3F0C6C225E2FBA0C867280CC9'
- '11BC82A9BD8297BD0823BCE5D6202082'
- '7FAEA2B01796B80D180399040BB69835'
condition: 1 of selection_*
condition: selection
falsepositives:
- Unlikely
level: critical
rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml
+3 -31
View File
@@ -21,7 +21,7 @@ references:
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2023-03-31
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.t1218
@@ -31,7 +31,7 @@ logsource:
category: process_creation
product: windows
detection:
selection_hashes_1:
selection_hashes:
Hashes|contains:
# 3CX Desktop 18.12.407
- 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
@@ -60,41 +60,13 @@ detection:
- 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
- 'MD5=F3D4144860CA10BA60F7EF4D176CC736'
- 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9'
selection_hashes_2:
- sha256:
- 'DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
- '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
- 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
- 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
- '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
- 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
- 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
- '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
- sha1:
- '480DC408EF50BE69EBCF84B95750F7E93A8A1859'
- '3B43A5D8B83C637D00D769660D01333E88F5A187'
- '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
- 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
- '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
- '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
- 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
- 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
- md5:
- 'BB915073385DD16A846DFA318AFA3C19'
- '08D79E1FFFA244CC0DC61F7D2036ACA9'
- '4965EDF659753E3C05D800C6C8A23A7A'
- '9833A4779B69B38E3E51F04E395674C6'
- '704DB9184700481A56E5100FB56496CE'
- '8EE6802F085F7A9DF7E0303E65722DC0'
- 'F3D4144860CA10BA60F7EF4D176CC736'
- '0EEB1C0133EB4D571178B2D9D14CE3E9'
selection_pe_1:
- OriginalFileName: '3CXDesktopApp.exe'
- Image|endswith: '\3CXDesktopApp.exe'
- Product: '3CX Desktop App'
selection_pe_2:
FileVersion|contains: '18.12.'
condition: all of selection_pe_* or 1 of selection_hashes_*
condition: all of selection_pe_* or selection_hashes
falsepositives:
- Legitimate usage of 3CXDesktopApp
level: high
rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml
+104 -207
View File
@@ -16,7 +16,7 @@ references:
- https://github.com/wavestone-cdt/EDRSandblast
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2024-01-02
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.s0139
@@ -27,212 +27,109 @@ logsource:
definition: 'Requirements: Sysmon config with Imphash logging activated'
detection:
selection:
- Imphash:
- bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
- 3a19059bd7688cb88e70005f18efc439 # PetitPotam
- bf6223a49e45d99094406777eb6004ba # PetitPotam
- 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz
- 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz
- 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz
- 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz
- 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz
- 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz
- 672b13f4a0b6f27d29065123fe882dfc # Mimikatz
- 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz
- 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz
- 9528a0e91e28fbb88ad433feabca2456 # Mimikatz
- 9da6d5d77be11712527dcab86df449a3 # Mimikatz
- a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz
- b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz
- d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
- fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz
- 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato
- a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato
- f9a28c458284584a93b14216308d31bd # JuicyPotatoNG
- 6118619783fc175bc7ebecff0769b46e # RoguePotato
- 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato
- 563233bfa169acc7892451f71ad5850a # RoguePotato
- 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato
- 13f08707f759af6003837a150a371ba1 # Pwdump
- 1781f06048a7e58b323f0b9259be798b # Pwdump
- 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump
- 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump
- 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump
- 713c29b396b907ed71a72482759ed757 # Pwdump
- 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump
- 8628b2608957a6b0c6330ac3de28ce2e # Pwdump
- 8b114550386e31895dfab371e741123d # Pwdump
- 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX
- 9d68781980370e00e0bd939ee5e6c141 # Pwdump
- b18a1401ff8f444056d29450fbc0a6ce # Pwdump
- cb567f9498452721d77a451374955f5f # Pwdump
- 730073214094cd328547bf1f72289752 # Htran
- 17b461a082950fc6332228572138b80c # Cobalt Strike beacons
- dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons
- 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons
- 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons
- c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump
- 0588081ab0e63ba785938467e1b10cca # PPLDump
- 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump
- bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump
- 4da924cf622d039d58bce71cdf05d242 # NanoDump
- e7a3a5c377e2d29324093377d7db1c66 # NanoDump
- 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump
- af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump
- 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump
- 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump
- 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump
- e6f9d5152da699934b30daab206471f6 # NanoDump
- 3ad59991ccf1d67339b319b15a41b35d # NanoDump
- ffdd59e0318b85a3e480874d9796d872 # NanoDump
- 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump
- 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump
- d6d0f80386e1380d05cb78e871bc72b1 # NanoDump
- 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz
- 0e2216679ca6e1094d63322e3412d650 # HandleKatz
- ada161bf41b8e5e9132858cb54cab5fb # DripLoader
- 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader
- 11083e75553baae21dc89ce8f9a195e4 # DripLoader
- a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader
- 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump
- 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi
- 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi
- 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi
- 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi
- 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi
- 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi
- 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi
- 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi
- dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi
- 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi
- 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi
- a53a02b997935fd8eedcb5f7abab9b9f # WCE
- e96a73c7bf33a464c510ede582318bf2 # WCE
- 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers
- 09D278F9DE118EF09163C6140255C690 # Dumpert
- 03866661686829d806989e2fc5a72606 # Dumpert
- e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- 19584675d94829987952432e018d5056 # SysmonQuiet
- 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook
- 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz
- 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller
- 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller
- 96df3a3731912449521f6f8d183279b1 # Backstab
- 7e6cf3ff4576581271ac8a313b2aab46 # Backstab
- 51791678f351c03a0eb4e2a7b05c6e17 # Backstab
- 25ce42b079282632708fc846129e98a5 # Forensia
- 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast
- 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast
- 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast
- 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast
- 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast
- cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast
- 40445337761d80cf465136fafb1f63e6 # EDRSandBlast
- 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer
- Hash|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
- IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
- IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
- IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
- IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
- IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
- IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
- IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
- IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
- IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
- IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
- IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
- IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
- IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
- IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
- IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
- IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
- IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
- IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
- IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
- IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
- IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
- IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
- IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
- IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
- IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
- IMPHASH=730073214094CD328547BF1F72289752 # Htran
- IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
- IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
- IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
- IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
- IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
- IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
- IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
- IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
- IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
- IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
- IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
- IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
- IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
- IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
- IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
Hash|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
- IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
- IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
- IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
- IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
- IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
- IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
- IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
- IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
- IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
- IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
- IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
- IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
- IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
- IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
- IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
- IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
- IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
- IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
- IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
- IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
- IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
- IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
- IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
- IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
- IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
- IMPHASH=730073214094CD328547BF1F72289752 # Htran
- IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
- IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
- IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
- IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
- IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
- IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
- IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
- IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
- IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
- IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
- IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
- IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
- IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
- IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
- IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
condition: selection
falsepositives:
- Unknown
rules/windows/driver_load/driver_load_win_pua_process_hacker.yml
+9 -16
View File
@@ -9,7 +9,7 @@ references:
- https://processhacker.sourceforge.io/
author: Florian Roth (Nextron Systems)
date: 2022-11-16
modified: 2023-05-08
modified: 2024-11-23
tags:
- attack.privilege-escalation
- cve.2021-21551
@@ -18,21 +18,14 @@ logsource:
category: driver_load
product: windows
detection:
selection_image:
ImageLoaded|endswith: '\kprocesshacker.sys'
selection_processhack_sysmon:
Hashes|contains:
- 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
- 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
- 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
- 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
selection_processhack_hashes:
Imphash:
- '821D74031D3F625BCBD0DF08B70F1E77'
- 'F86759BB4DE4320918615DC06E998A39'
- '0A64EEB85419257D0CE32BD5D55C3A18'
- '6E7B34DFC017700B1517B230DF6FF0D0'
condition: 1 of selection_*
selection:
- ImageLoaded|endswith: '\kprocesshacker.sys'
- Hashes|contains:
- 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
- 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
- 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
- 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
condition: selection
falsepositives:
- Legitimate use of process hacker or system informer by developers or system administrators
level: high
rules/windows/driver_load/driver_load_win_pua_system_informer.yml
+18 -33
View File
@@ -10,6 +10,7 @@ references:
- https://github.com/winsiderss/systeminformer
author: Florian Roth (Nextron Systems)
date: 2023-05-08
modified: 2024-11-23
tags:
- attack.privilege-escalation
- attack.t1543
@@ -17,39 +18,23 @@ logsource:
category: driver_load
product: windows
detection:
selection_image:
ImageLoaded|endswith: '\SystemInformer.sys'
selection_systeminformer_sysmon:
Hashes|contains:
- 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24'
- 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454'
- 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D'
- 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B'
- 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D'
- 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34'
- 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89'
- 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB'
- 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B'
- 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97'
- 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656'
- 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4'
- 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138'
selection_systeminformer_hashes:
sha256:
- '8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24'
- 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454'
- '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d'
- 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b'
- '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d'
- '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34'
- '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89'
- '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb'
- 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b'
- '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97'
- '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656'
- 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4'
- '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138'
condition: 1 of selection_*
selection:
- ImageLoaded|endswith: '\SystemInformer.sys'
- Hashes|contains:
- 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24'
- 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454'
- 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D'
- 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B'
- 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D'
- 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34'
- 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89'
- 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB'
- 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B'
- 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97'
- 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656'
- 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4'
- 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138'
condition: selection
falsepositives:
- System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
level: medium
rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml
+7 -12
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-18
modified: 2022-11-19
modified: 2024-11-23
tags:
- attack.privilege-escalation
- attack.t1543.003
@@ -14,17 +14,12 @@ logsource:
product: windows
category: driver_load
detection:
selection_name:
ImageLoaded|endswith: '\HEVD.sys'
selection_sysmon:
Hashes|contains:
- 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0
- 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0
selection_other:
Imphash:
- 'f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0
- 'c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0
condition: 1 of selection*
selection:
- ImageLoaded|endswith: '\HEVD.sys'
- Hashes|contains:
- 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0
- 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0
condition: selection
falsepositives:
- Unlikely
level: high
rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml
+10 -13
View File
@@ -7,7 +7,7 @@ references:
- https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
author: Florian Roth (Nextron Systems)
date: 2022-07-26
modified: 2022-11-19
modified: 2024-11-23
tags:
- attack.privilege-escalation
- attack.t1543.003
@@ -15,18 +15,15 @@ logsource:
product: windows
category: driver_load
detection:
selection_name:
ImageLoaded|endswith:
- '\WinRing0x64.sys'
- '\WinRing0.sys'
- '\WinRing0.dll'
- '\WinRing0x64.dll'
- '\winring00x64.sys'
selection_sysmon:
Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7'
selection_other:
Imphash: 'd41fa95d4642dc981f10de36f4dc8cd7'
condition: 1 of selection*
selection:
- Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7'
- ImageLoaded|endswith:
- '\WinRing0x64.sys'
- '\WinRing0.sys'
- '\WinRing0.dll'
- '\WinRing0x64.dll'
- '\winring00x64.sys'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/driver_load/driver_load_win_windivert.yml
+28 -49
View File
@@ -7,7 +7,7 @@ references:
- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021-07-30
modified: 2022-11-19
modified: 2024-11-23
tags:
- attack.collection
- attack.defense-evasion
@@ -18,54 +18,33 @@ logsource:
product: windows
detection:
selection:
ImageLoaded|contains:
- '\WinDivert.sys'
- '\WinDivert64.sys'
# Other used names
- '\NordDivert.sys'
- '\lingtiwfp.sys'
- '\eswfp.sys'
selection_sysmon:
Hashes|contains:
- 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087'
- 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f'
- 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276'
- 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76'
- 'IMPHASH=58623490691babe8330adc81cd04a663'
- 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b'
- 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96'
- 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a'
- 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a'
- 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc'
- 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342'
- 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88'
- 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38'
- 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6'
- 'IMPHASH=a74929edfc3289895e3f2885278947ae'
- 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e'
- 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4'
- 'IMPHASH=c28cd6ccd83179e79dac132a553693d9'
selection_hashes:
Imphash:
- '0604bb7cb4bb851e2168d5c7d9399087'
- '2e5f0e649d97f32b03c09e4686d0574f'
- '52f8aa269f69f0edad9e8fcdaedce276'
- 'c0e5d314da39dbf65a2dbff409cc2c76'
- '58623490691babe8330adc81cd04a663'
- '8ee39b48656e4d6b8459d7ba7da7438b'
- '45ee545ae77e8d43fc70ede9efcd4c96'
- 'a1b2e245acd47e4a348e1a552a02859a'
- '2a5f85fe4609461c6339637594fa9b0a'
- '6b2c6f95233c2914d1d488ee27531acc'
- '9f2fdd3f9ab922bbb0560a7df46f4342'
- 'd8a719865c448b1bd2ec241e46ac1c88'
- '0ea54f8c9af4a2fe8367fa457f48ed38'
- '9d519ae0a0864d6d6ae3f8b6c9c70af6'
- 'a74929edfc3289895e3f2885278947ae'
- 'a66b476c2d06c370f0a53b5537f2f11e'
- 'bdcd836a46bc2415773f6b5ea77a46e4'
- 'c28cd6ccd83179e79dac132a553693d9'
condition: 1 of selection*
- ImageLoaded|contains:
- '\WinDivert.sys'
- '\WinDivert64.sys'
# Other used names
- '\NordDivert.sys'
- '\lingtiwfp.sys'
- '\eswfp.sys'
- Hashes|contains:
- 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087'
- 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f'
- 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276'
- 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76'
- 'IMPHASH=58623490691babe8330adc81cd04a663'
- 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b'
- 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96'
- 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a'
- 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a'
- 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc'
- 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342'
- 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88'
- 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38'
- 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6'
- 'IMPHASH=a74929edfc3289895e3f2885278947ae'
- 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e'
- 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4'
- 'IMPHASH=c28cd6ccd83179e79dac132a553693d9'
condition: selection
falsepositives:
- Legitimate WinDivert driver usage
level: high
rules/windows/image_load/image_load_hktl_sharpevtmute.yml
+2 -3
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/bats3c/EvtMute
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-02-17
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.t1562.002
@@ -18,8 +18,7 @@ logsource:
product: windows
detection:
selection:
- Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B'
- Imphash: '330768a4f172e10acb6287b87289d83b'
Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B'
condition: selection
falsepositives:
- Other DLLs with the same Imphash
rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml
+5 -9
View File
@@ -7,7 +7,7 @@ references:
- https://blog.hackvens.fr/articles/CoercedPotato.html
author: Florian Roth (Nextron Systems)
date: 2023-10-11
modified: 2024-04-15
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -21,14 +21,10 @@ detection:
selection_params:
CommandLine|contains: ' --exploitId '
selection_loader_imphash:
- Imphash:
- 'a75d7669db6b2e107a44c4057ff7f7d6'
- 'f91624350e2c678c5dcbe5e1f24e22c9'
- '14c81850a079a87e83d50ca41c709a15'
- Hashes|contains:
- 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6'
- 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9'
- 'IMPHASH=14C81850A079A87E83D50CA41C709A15'
Hashes|contains:
- 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6'
- 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9'
- 'IMPHASH=14C81850A079A87E83D50CA41C709A15'
condition: 1 of selection_*
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml
+1 -2
View File
@@ -6,7 +6,7 @@ references:
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
author: Florian Roth (Nextron Systems)
date: 2019-12-22
modified: 2023-02-04
modified: 2024-11-23
tags:
- attack.credential-access
- attack.t1003.001
@@ -16,7 +16,6 @@ logsource:
detection:
selection:
- Image|endswith: '\CreateMiniDump.exe'
- Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
- Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'
condition: selection
falsepositives:
rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml
+90 -179
View File
@@ -6,7 +6,7 @@ references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-02-07
modified: 2024-11-23
tags:
- attack.credential-access
- attack.t1588.002
@@ -16,184 +16,95 @@ logsource:
product: windows
detection:
selection:
- Imphash:
- bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
- 3a19059bd7688cb88e70005f18efc439 # PetitPotam
- bf6223a49e45d99094406777eb6004ba # PetitPotam
- 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato
- a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato
- f9a28c458284584a93b14216308d31bd # JuicyPotatoNG
- 6118619783fc175bc7ebecff0769b46e # RoguePotato
- 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato
- 563233bfa169acc7892451f71ad5850a # RoguePotato
- 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato
- 13f08707f759af6003837a150a371ba1 # Pwdump
- 1781f06048a7e58b323f0b9259be798b # Pwdump
- 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump
- 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump
- 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump
- 713c29b396b907ed71a72482759ed757 # Pwdump
- 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump
- 8628b2608957a6b0c6330ac3de28ce2e # Pwdump
- 8b114550386e31895dfab371e741123d # Pwdump
- 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX
- 9d68781980370e00e0bd939ee5e6c141 # Pwdump
- b18a1401ff8f444056d29450fbc0a6ce # Pwdump
- cb567f9498452721d77a451374955f5f # Pwdump
- 730073214094cd328547bf1f72289752 # Htran
- 17b461a082950fc6332228572138b80c # Cobalt Strike beacons
- dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons
- 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons
- 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons
- c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump
- 0588081ab0e63ba785938467e1b10cca # PPLDump
- 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump
- bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump
- 4da924cf622d039d58bce71cdf05d242 # NanoDump
- e7a3a5c377e2d29324093377d7db1c66 # NanoDump
- 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump
- af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump
- 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump
- 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump
- 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump
- e6f9d5152da699934b30daab206471f6 # NanoDump
- 3ad59991ccf1d67339b319b15a41b35d # NanoDump
- ffdd59e0318b85a3e480874d9796d872 # NanoDump
- 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump
- 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump
- d6d0f80386e1380d05cb78e871bc72b1 # NanoDump
- 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz
- 0e2216679ca6e1094d63322e3412d650 # HandleKatz
- ada161bf41b8e5e9132858cb54cab5fb # DripLoader
- 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader
- 11083e75553baae21dc89ce8f9a195e4 # DripLoader
- a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader
- 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump
- 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi
- 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi
- 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi
- 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi
- 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi
- 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi
- 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi
- 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi
- dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi
- 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi
- 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi
- a53a02b997935fd8eedcb5f7abab9b9f # WCE
- e96a73c7bf33a464c510ede582318bf2 # WCE
- 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers
- 09D278F9DE118EF09163C6140255C690 # Dumpert
- 03866661686829d806989e2fc5a72606 # Dumpert
- e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- 19584675d94829987952432e018d5056 # SysmonQuiet
- 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook
- 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz
- 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller
- 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller
- 96df3a3731912449521f6f8d183279b1 # Backstab
- 7e6cf3ff4576581271ac8a313b2aab46 # Backstab
- 51791678f351c03a0eb4e2a7b05c6e17 # Backstab
- 25ce42b079282632708fc846129e98a5 # Forensia
- 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast
- 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast
- 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast
- 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast
- 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast
- cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast
- 40445337761d80cf465136fafb1f63e6 # EDRSandBlast
- 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer
- b50199e952c875241b9ce06c971ce3c1 # EventLogCrasher
- Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
- IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
- IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
- IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
- IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
- IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
- IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
- IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
- IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
- IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
- IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
- IMPHASH=730073214094CD328547BF1F72289752 # Htran
- IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
- IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
- IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
- IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
- IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
- IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
- IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
- IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
- IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
- IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
- IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
- IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
- IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
- IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
- IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
- IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
- IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
- IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
- IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
- IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
- IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
- IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
- IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
- IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
- IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
- IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
- IMPHASH=730073214094CD328547BF1F72289752 # Htran
- IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
- IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
- IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
- IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
- IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
- IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
- IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
- IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
- IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
- IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
- IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
- IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
- IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
- IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
- IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
- IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
condition: selection
falsepositives:
- Legitimate use of one of these tools
rules/windows/process_creation/proc_creation_win_hktl_gmer.yml
+1 -5
View File
@@ -6,7 +6,7 @@ references:
- http://www.gmer.net/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-05
modified: 2023-02-13
modified: 2024-11-23
tags:
- attack.defense-evasion
logsource:
@@ -20,10 +20,6 @@ detection:
- 'MD5=E9DC058440D321AA17D0600B3CA0AB04'
- 'SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57'
- 'SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173'
selection_other:
- md5: 'e9dc058440d321aa17d0600b3ca0ab04'
- sha1: '539c228b6b332f5aa523e5ce358c16647d8bbe57'
- sha256: 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'
condition: 1 of selection_*
falsepositives:
- Unlikely
rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml
+4 -7
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/codewhitesec/HandleKatz
author: Florian Roth (Nextron Systems)
date: 2022-08-18
modified: 2024-04-15
modified: 2024-11-23
tags:
- attack.credential-access
- attack.t1003.001
@@ -18,12 +18,9 @@ detection:
Image|endswith: '\loader.exe'
CommandLine|contains: '--pid:'
selection_loader_imphash:
- Imphash:
- '38d9e015591bbfd4929e0d0f47fa0055'
- '0e2216679ca6e1094d63322e3412d650'
- Hashes|contains:
- 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
- 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
Hashes|contains:
- 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
- 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
selection_flags:
CommandLine|contains|all:
- '--pid:'
rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml
+3 -7
View File
@@ -7,7 +7,7 @@ references:
- https://github.com/sensepost/impersonate
author: Sai Prashanth Pulisetti @pulisettis
date: 2022-12-21
modified: 2023-02-08
modified: 2024-11-23
tags:
- attack.privilege-escalation
- attack.defense-evasion
@@ -24,16 +24,12 @@ detection:
- ' list '
- ' exec '
- ' adduser '
selection_hash_plain:
selection_hash:
Hashes|contains:
- 'MD5=9520714AB576B0ED01D1513691377D01'
- 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
- 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62'
selection_hash_ext:
- md5: '9520714AB576B0ED01D1513691377D01'
- sha256: 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
- Imphash: '0A358FFC1697B7A07D0E817AC740DF62'
condition: all of selection_commandline_* or 1 of selection_hash_*
condition: all of selection_commandline_* or selection_hash
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml
+1 -4
View File
@@ -7,6 +7,7 @@ references:
- https://github.com/decoder-it/LocalPotato
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -25,10 +26,6 @@ detection:
Hashes|contains:
- 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'
- 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'
selection_hash_ext:
Imphash:
- 'E1742EE971D6549E8D4D81115F88F1FC'
- 'DD82066EFBA94D7556EF582F247C8BB5'
condition: 1 of selection_*
falsepositives:
- Unlikely
rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml
+1 -14
View File
@@ -8,7 +8,7 @@ references:
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2022-10-10
modified: 2023-02-13
modified: 2024-11-23
tags:
- attack.execution
- attack.discovery
@@ -38,19 +38,6 @@ detection:
- 'MD5=228DD0C2E6287547E26FFBD973A40F14'
- 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C'
- 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663'
selection_hash_values:
- md5:
- '228dd0c2e6287547e26ffbd973a40f14'
- '987b65cd9b9f4e9a1afd8f8b48cf64a7'
- sha1:
- '5f1cbc3d99558307bc1250d084fa968521482025'
- '3fb89787cb97d902780da080545584d97fb1c2eb'
- sha256:
- '2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32'
- '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c'
- Imphash:
- '444d210cea1ff8112f256a4997eed7ff'
- '0479f44df47cfa2ef1ccc4416a538663'
condition: 1 of selection_*
falsepositives:
- Unlikely
rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml
+1 -6
View File
@@ -9,7 +9,7 @@ references:
- https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files
author: Florian Roth (Nextron Systems)
date: 2022-07-23
modified: 2023-03-07
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.t1134.004
@@ -37,11 +37,6 @@ detection:
- 'spoofppid'
- 'spoofedppid'
- Description: 'SelectMyParent'
- Imphash:
- '04d974875bd225f00902b4cad9af3fbc'
- 'a782af154c9e743ddf3f3eb2b8f3d16e'
- '89059503d7fbf470e68f7e63313da3ad'
- 'ca28337632625c8281ab8a130b3d6bad'
- Hashes|contains:
- 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC'
- 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E'
rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml
+1 -3
View File
@@ -6,6 +6,7 @@ references:
- https://github.com/mgeeky/Stracciatella
author: pH-T (Nextron Systems)
date: 2023-04-17
modified: 2024-11-23
tags:
- attack.execution
- attack.defense-evasion
@@ -22,9 +23,6 @@ detection:
- Hashes|contains:
- 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956'
- 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a'
- sha256:
- '9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956'
- 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a'
condition: selection
falsepositives:
- Unlikely
rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml
+4 -7
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/Wh04m1001/SysmonEoP
author: Florian Roth (Nextron Systems)
date: 2022-12-04
modified: 2024-04-15
modified: 2024-11-23
tags:
- cve.2022-41120
- attack.t1068
@@ -18,12 +18,9 @@ detection:
selection_img:
Image|endswith: '\SysmonEOP.exe'
selection_hash:
- Hashes|contains:
- 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5'
- 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC'
- Imphash:
- '22f4089eb8aba31e1bb162c6d9bf72e5'
- '5123fa4c4384d431cd0d893eeb49bbec'
Hashes|contains:
- 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5'
- 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC'
condition: 1 of selection_*
falsepositives:
- Unlikely
rules/windows/process_creation/proc_creation_win_hktl_uacme.yml
+1 -14
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
date: 2021-08-30
modified: 2022-11-19
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -46,19 +46,6 @@ detection:
- 'IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894'
- 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74'
- 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B'
selection_hashes_other:
Imphash:
- '767637c23bb42cd5d7397cf58b0be688'
- '14c4e4c72ba075e9069ee67f39188ad8'
- '3c782813d4afce07bbfc5a9772acdbdc'
- '7d010c6bb6a3726f327f7e239166d127'
- '89159ba4dd04e4ce5559f132a9964eb3'
- '6f33f4a5fc42b8cec7314947bd13f30f'
- '5834ed4291bdeb928270428ebbaf7604'
- '5a8a8a43f25485e7ee1b201edcbc7a38'
- 'dc7d30b90b2d8abf664fbed2b1b59894'
- '41923ea1f824fe63ea5beb84db7a3e74'
- '3de09703c8e79ed2ca3f01074719906b'
condition: 1 of selection_*
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_hktl_wce.yml
+4 -7
View File
@@ -6,7 +6,7 @@ references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2023-02-04
modified: 2024-11-23
tags:
- attack.credential-access
- attack.t1003.001
@@ -16,12 +16,9 @@ logsource:
product: windows
detection:
selection_1:
- Imphash:
- a53a02b997935fd8eedcb5f7abab9b9f
- e96a73c7bf33a464c510ede582318bf2
- Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f
- IMPHASH=e96a73c7bf33a464c510ede582318bf2
Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f
- IMPHASH=e96a73c7bf33a464c510ede582318bf2
selection_2:
CommandLine|endswith: '.exe -S'
ParentImage|endswith: '\services.exe'
rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml
+1 -2
View File
@@ -7,7 +7,7 @@ references:
- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2022-03-04
modified: 2024-11-23
tags:
- attack.execution
- attack.defense-evasion
@@ -18,7 +18,6 @@ logsource:
detection:
selection_binary:
- Image|endswith: '\mpiexec.exe'
- Imphash: 'd8b52ef6aaa3a81501bdfff9dbb96217'
- Hashes|contains: 'IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217'
selection_flags:
CommandLine|contains:
rules/windows/process_creation/proc_creation_win_pua_frp.yml
+5 -8
View File
@@ -7,7 +7,7 @@ references:
- https://github.com/fatedier/frp
author: frack113, Florian Roth
date: 2022-09-02
modified: 2023-02-04
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
@@ -23,13 +23,10 @@ detection:
CommandLine|contains: '\frpc.ini'
selection_hashes:
# v0.44.0
- Hashes|contains:
- "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
- "SHA1=06DDC9280E1F1810677935A2477012960905942F"
- "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
- md5: '7d9c233b8c9e3f0ea290d2b84593c842'
- sha1: '06ddc9280e1f1810677935a2477012960905942f'
- sha256: '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'
Hashes|contains:
- "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
- "SHA1=06DDC9280E1F1810677935A2477012960905942F"
- "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
condition: 1 of selection_*
falsepositives:
- Legitimate use
rules/windows/process_creation/proc_creation_win_pua_iox.yml
+5 -8
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/EddieIvan01/iox
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2023-02-08
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
@@ -24,13 +24,10 @@ detection:
- '.exe proxy -r '
selection_hashes:
# v0.4
- Hashes|contains:
- "MD5=9DB2D314DD3F704A02051EF5EA210993"
- "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD"
- "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731"
- md5: '9db2d314dd3f704a02051ef5ea210993'
- sha1: '039130337e28a6623ecf9a0a3da7d92c5964d8dd'
- sha256: 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'
Hashes|contains:
- "MD5=9DB2D314DD3F704A02051EF5EA210993"
- "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD"
- "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731"
condition: 1 of selection*
falsepositives:
- Legitimate use
rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml
+1 -5
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113
date: 2022-08-28
modified: 2023-02-13
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1105
@@ -21,10 +21,6 @@ detection:
- MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
- SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
- IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
selection_hash:
- md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B
- sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
- Imphash: C07FDDD21D123EA9B3A08EEF44AAAC45
condition: 1 of selection_*
falsepositives:
- Legitimate use of Nim on a developer systems
rules/windows/process_creation/proc_creation_win_pua_nps.yml
+5 -8
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/ehang-io/nps
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2023-02-04
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
@@ -25,13 +25,10 @@ detection:
CommandLine|contains: ' -config=npc'
selection_hashes:
# v0.26.10
- Hashes|contains:
- "MD5=AE8ACF66BFE3A44148964048B826D005"
- "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181"
- "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856"
- md5: 'ae8acf66bfe3a44148964048b826d005'
- sha1: 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181'
- sha256: '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856'
Hashes|contains:
- "MD5=AE8ACF66BFE3A44148964048B826D005"
- "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181"
- "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856"
condition: 1 of selection_*
falsepositives:
- Legitimate use
rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml
+12 -26
View File
@@ -13,7 +13,7 @@ references:
- https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
author: Florian Roth (Nextron Systems)
date: 2022-10-10
modified: 2023-12-11
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.discovery
@@ -26,7 +26,7 @@ logsource:
category: process_creation
product: windows
detection:
selection_image:
selection:
- Image|contains: '\ProcessHacker_'
- Image|endswith: '\ProcessHacker.exe'
- OriginalFileName:
@@ -34,30 +34,16 @@ detection:
- 'Process Hacker'
- Description: 'Process Hacker'
- Product: 'Process Hacker'
selection_hashes:
Hashes|contains:
- 'MD5=68F9B52895F4D34E74112F3129B3B00D'
- 'MD5=B365AF317AE730A67C936F21432B9C71'
- 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D'
- 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
- 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'
- 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4'
- 'IMPHASH=3695333C60DEDECDCAFF1590409AA462'
- 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF'
selection_hash_values:
- md5:
- '68f9b52895f4d34e74112f3129b3b00d'
- 'b365af317ae730a67c936f21432b9c71'
- sha1:
- 'c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e'
- 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d'
- sha256:
- 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f'
- 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4'
- Imphash:
- '04de0ad9c37eb7bd52043d2ecac958df'
- '3695333c60dedecdcaff1590409aa462'
condition: 1 of selection_*
- Hashes|contains:
- 'MD5=68F9B52895F4D34E74112F3129B3B00D'
- 'MD5=B365AF317AE730A67C936F21432B9C71'
- 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D'
- 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
- 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'
- 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4'
- 'IMPHASH=3695333C60DEDECDCAFF1590409AA462'
- 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF'
condition: selection
falsepositives:
- While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis
level: medium
rules/windows/process_creation/proc_creation_win_pua_system_informer.yml
+10 -15
View File
@@ -9,6 +9,7 @@ references:
- https://github.com/winsiderss/systeminformer
author: Florian Roth (Nextron Systems)
date: 2023-05-08
modified: 2024-11-23
tags:
- attack.persistence
- attack.privilege-escalation
@@ -21,25 +22,19 @@ logsource:
category: process_creation
product: windows
detection:
selection_image:
selection:
- Image|endswith: '\SystemInformer.exe'
- OriginalFileName: 'SystemInformer.exe'
- Description: 'System Informer'
- Product: 'System Informer'
selection_hashes:
Hashes|contains:
# Note: add other hashes as needed
# 3.0.11077.6550
- 'MD5=19426363A37C03C3ED6FEDF57B6696EC'
- 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
- 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
- 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'
selection_hash_values:
- md5: '19426363A37C03C3ED6FEDF57B6696EC'
- sha1: '8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
- sha256: '8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
- Imphash: 'B68908ADAEB5D662F87F2528AF318F12'
condition: 1 of selection_*
- Hashes|contains:
# Note: add other hashes as needed
# 3.0.11077.6550
- 'MD5=19426363A37C03C3ED6FEDF57B6696EC'
- 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
- 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
- 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'
condition: selection
falsepositives:
- System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
level: medium
rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml
+1 -2
View File
@@ -6,7 +6,7 @@ references:
- https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-03-05
modified: 2024-11-23
tags:
- attack.defense-evasion
logsource:
@@ -17,7 +17,6 @@ detection:
- Image|endswith: '\client32.exe'
- Product|contains: 'NetSupport Remote Control'
- OriginalFileName|contains: 'client32.exe'
- Imphash: a9d50692e95b79723f3e76fcf70d023e
- Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e
filter:
Image|startswith:
rules/windows/process_creation/proc_creation_win_renamed_adfind.yml
+4 -7
View File
@@ -11,7 +11,7 @@ references:
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
author: Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-02-14
modified: 2024-11-23
tags:
- attack.discovery
- attack.t1018
@@ -44,12 +44,9 @@ detection:
- 'computers_active'
- 'computers_pwdnotreqd'
selection_2:
- Imphash:
- bca5675746d13a1f246e2da3c2217492
- 53e117a96057eaf19c41380d0e87f1c2
- Hashes|contains:
- 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
- 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
Hashes|contains:
- 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
- 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
selection_3:
OriginalFileName: 'AdFind.exe'
filter:
rules/windows/process_creation/proc_creation_win_renamed_autoit.yml
+5 -9
View File
@@ -10,7 +10,7 @@ references:
- https://www.autoitscript.com/site/
author: Florian Roth (Nextron Systems)
date: 2023-06-04
modified: 2023-09-19
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.t1027
@@ -23,14 +23,10 @@ detection:
- ' /AutoIt3ExecuteScript'
- ' /ErrorStdOut'
selection_2:
- Imphash:
- 'fdc554b3a8683918d731685855683ddf' # AutoIt v2 - doesn't cover all binaries
- 'cd30a61b60b3d60cecdb034c8c83c290' # AutoIt v2 - doesn't cover all binaries
- 'f8a00c72f2d667d2edbb234d0c0ae000' # AutoIt v3 - doesn't cover all binaries
- Hashes|contains:
- 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries
- 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries
- 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000' # AutoIt v3 - doesn't cover all binaries
Hashes|contains:
- 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries
- 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries
- 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000' # AutoIt v3 - doesn't cover all binaries
selection_3:
OriginalFileName:
- 'AutoIt3.exe'
rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml
+1 -2
View File
@@ -6,7 +6,7 @@ references:
- https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-02-04
modified: 2024-11-23
tags:
- attack.defense-evasion
logsource:
@@ -16,7 +16,6 @@ detection:
selection:
- Product|contains: 'NetSupport Remote Control'
- OriginalFileName|contains: 'client32.exe'
- Imphash: a9d50692e95b79723f3e76fcf70d023e
- Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E
filter:
Image|endswith: '\client32.exe'
rules/windows/process_creation/proc_creation_win_renamed_paexec.yml
+3 -8
View File
@@ -10,7 +10,7 @@ references:
- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
author: Florian Roth (Nextron Systems), Jason Lynch
date: 2021-05-22
modified: 2023-02-14
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.t1202
@@ -22,20 +22,15 @@ detection:
- Description: 'PAExec Application'
- OriginalFileName: 'PAExec.exe'
- Product|contains: 'PAExec'
- Imphash:
- 11D40A7B7876288F919AB819CC2D9802
- 6444f8a34e99b8f7d9647de66aabe516
- dfd6aa3f7b2b1035b76b718f1ddc689f
- 1a6cca4d5460b1710a12dea39e4a592c
- Hashes|contains:
- IMPHASH=11D40A7B7876288F919AB819CC2D9802
- IMPHASH=6444f8a34e99b8f7d9647de66aabe516
- IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f
- IMPHASH=1a6cca4d5460b1710a12dea39e4a592c
filter:
filter_main_known_location:
- Image|endswith: '\paexec.exe'
- Image|startswith: 'C:\Windows\PAExec-'
condition: selection and not filter
condition: selection and not 1 of filter_main_*
falsepositives:
- Weird admins that rename their tools
- Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing
rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml
+1 -5
View File
@@ -9,7 +9,7 @@ references:
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
author: Markus Neis, Florian Roth
date: 2019-01-16
modified: 2023-02-15
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.t1047
@@ -24,10 +24,6 @@ detection:
selection_pe:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
- Imphash:
- 1B1A3F43BF37B5BFE60751F2EE2F326E
- 37777A96245A3C74EB217308F3546F4C
- 9D87C9D67CE724033C0B40CC4CA1B206
- Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E
- IMPHASH=37777A96245A3C74EB217308F3546F4C
tests/test_logsource.py
+16 -16
View File
@@ -282,22 +282,22 @@ def load_fields_json(name: str):
# Add common field
for product in data:
for category in data[product]["category"]:
if "Hashes" in data[product]["category"][category]:
data[product]["category"][category] += [
"md5",
"sha1",
"sha256",
"Imphash",
]
if (
"Hash" in data[product]["category"][category]
): # Sysmon 15 create_stream_hash
data[product]["category"][category] += [
"md5",
"sha1",
"sha256",
"Imphash",
]
# if "Hashes" in data[product]["category"][category]:
# data[product]["category"][category] += [
# "md5",
# "sha1",
# "sha256",
# "Imphash",
# ]
# if (
# "Hash" in data[product]["category"][category]
# ): # Sysmon 15 create_stream_hash
# data[product]["category"][category] += [
# "md5",
# "sha1",
# "sha256",
# "Imphash",
# ]
if "common" in data[product].keys():
data[product]["category"][category] += data[product]["common"]
for service in data[product]["service"]: