December 2024 + January 2025 updates
- 118 tools added or updated.
- 62470 detection patterns
- performance improvements for the yara strict ruleset in yara repo
- reorganization of tags in https://github.com/mthcht/ThreatHunting-Keywords (#linux and others)
- reorganization of files in https://github.com/mthcht/ThreatHunting-Keywords (separation of the main file in specific files by category or tag)
- multiple patterns corrections
In progress:
- Automated recuperation of hashes from github releases of each tool as soon as they are released
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
metadata_severity_score
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
- obfuscated patterns with the values of the original patterns in base64 and others.
links
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
- ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules Github repo: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists
new keyword detection patterns added for the following tools :
- ACEshark
- BitLockerToGo
- BitLockerToGo
- BrowserGhost
- BypassAddUser
- CDK
- Carseat
- chrome_decrypt
- ChromeStealer
- CreateService
- Credphisher
- DCOMUploadExec
- comsvcs.dll
- DCSyncer
- DLLHound
- DPAT
- DecryptAutoLogon
- DecryptTeamViewer
- Disk2vhd
- Dumpy
- EventLogMaster
- EvilnoVNC
- FormThief
- Get-NetNTLM
- GonnaCry
- Graphpython
- HookSentry
- Invoke-RunAsWithCert
- Invoke-SessionHunter
- Invoke-ShareHunter
- JuicyPotato
- Krueger
- LatLoader
- MDExclusionParser
- NachoVPN
- NativeBypassCredGuard
- ObfuscatedSharpCollection
- ObfuscatedSharpCollection
- Orc
- POC
- PasswordHashesView
- PoshADCS
- PrivExchange
- RegHiveBackup
- RustPotato
- SCCMVNC
- ShadowDumper
- ShadowHound
- SharpAVKB
- SharpEventLog
- SharpExShell
- SharpFtpC2
- SharpGraphView
- SharpLocker
- SharpMiniDump
- SharpMove
- SharpSAMDump
- ShellPwnsh
- Spyndicapped
- Sunder
- VeamHax
- VirtualBox
- VirtualBox
- WMIHACKER
- adPEAS
- antSword
- bayfiles
- bcdedit
- bitbucket.org
- blindsight
- certutil
- chgpass
- cobaltstrike
- credhistview
- croc
- cryptomining
- del
- diskshadow
- dumper2020
- esxcli
- evilginx2
- findstr
- gTunnel
- ghostsocks
- hotkeyz
- icalcs
- iptables
- keylogger
- m365-fatigue
- mediafire
- mega.nz
- netsh
- netsh
- o365spray
- pastehakk
- physmem2profit
- potato
- powerview
- printspoofer
- recaptcha-phish
- recaptcha-phish
- rentry.co
- revbshell
- send.exploit.in
- sliver
- steam
- surfshark VPN
- reg
- taowu-cobalt-strike
- taskkill
- typeperf
- vssadmin
- webtrufflehog
- windows-defender-remover
- wiztree
- xcopy