├── AdvancedHuntingQueries ├── CVE-2021-36934-HiveNightmare-Defender.ahq ├── CVE-2021-36934-HiveNightmare-Sentinel-Events ├── Cloudflared-ZeroTrust-tunnel.AHQ ├── Defender-Abuse.ahq ├── DefenderControl.ahq ├── DefenderExplode.ahq ├── DogWalk-DiagCab ├── Find-DataUri-Javascript-SOCGholish.ahq ├── Follina-Office.ahq ├── Hunt-PrintNightmare ├── KaseyaRansomwarePayload.ahq ├── KaseyaVSAAgent-hunt.ahq ├── MSExchange-UnknownSubprocesses ├── OneNote-abuse.ahq ├── PaperCut-CVE-2023-27350-and-CVE-2023-27351.ahq ├── QueueJumper.ahq ├── Rclone-data-exfil.ahq ├── TheWormCircusUSB.ahq ├── donPAPI-credential-theft.ahq └── wmiexec-python-rce.ahq ├── AzureSentinel ├── Exchange-CVE-2021-34473-SSRF ├── Exchange-Powershell-via-SSRF ├── Exchange-ProxyShell-RBAC ├── Exchange-ProxyShell-SSRF ├── FindZeroLogon-DCSync ├── Successful-AITM-Phishing-Login └── ZeroLogon-detect ├── EDR-BlockRules └── CVE-2021-36934-HiveNightmare-Mcafee ├── LICENSE ├── README.md ├── Threat hunting - Potential malware downloads v1.0.xml ├── YARA ├── BPFDoor-Unknown.yar ├── BazaLoaderBackdoor.yar ├── BazarLoaderBehaviour.yar ├── BlackKingdom.yar ├── DragonForce-Payload.YAR ├── EIW.yar ├── Emotet.yar ├── GenericRansomware.yar ├── GraceWireTA505.yar ├── Qakbot.yar ├── WastedGholish.yar └── Zloader.yar └── porg.jpg /AdvancedHuntingQueries/CVE-2021-36934-HiveNightmare-Defender.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/CVE-2021-36934-HiveNightmare-Defender.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/CVE-2021-36934-HiveNightmare-Sentinel-Events: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/CVE-2021-36934-HiveNightmare-Sentinel-Events -------------------------------------------------------------------------------- /AdvancedHuntingQueries/Cloudflared-ZeroTrust-tunnel.AHQ: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/Cloudflared-ZeroTrust-tunnel.AHQ -------------------------------------------------------------------------------- /AdvancedHuntingQueries/Defender-Abuse.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/Defender-Abuse.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/DefenderControl.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/DefenderControl.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/DefenderExplode.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/DefenderExplode.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/DogWalk-DiagCab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/DogWalk-DiagCab -------------------------------------------------------------------------------- /AdvancedHuntingQueries/Find-DataUri-Javascript-SOCGholish.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/Find-DataUri-Javascript-SOCGholish.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/Follina-Office.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/Follina-Office.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/Hunt-PrintNightmare: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/Hunt-PrintNightmare -------------------------------------------------------------------------------- /AdvancedHuntingQueries/KaseyaRansomwarePayload.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/KaseyaRansomwarePayload.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/KaseyaVSAAgent-hunt.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/KaseyaVSAAgent-hunt.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/MSExchange-UnknownSubprocesses: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/MSExchange-UnknownSubprocesses -------------------------------------------------------------------------------- /AdvancedHuntingQueries/OneNote-abuse.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/OneNote-abuse.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/PaperCut-CVE-2023-27350-and-CVE-2023-27351.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/PaperCut-CVE-2023-27350-and-CVE-2023-27351.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/QueueJumper.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/QueueJumper.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/Rclone-data-exfil.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/Rclone-data-exfil.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/TheWormCircusUSB.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/TheWormCircusUSB.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/donPAPI-credential-theft.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/donPAPI-credential-theft.ahq -------------------------------------------------------------------------------- /AdvancedHuntingQueries/wmiexec-python-rce.ahq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AdvancedHuntingQueries/wmiexec-python-rce.ahq -------------------------------------------------------------------------------- /AzureSentinel/Exchange-CVE-2021-34473-SSRF: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AzureSentinel/Exchange-CVE-2021-34473-SSRF -------------------------------------------------------------------------------- /AzureSentinel/Exchange-Powershell-via-SSRF: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AzureSentinel/Exchange-Powershell-via-SSRF -------------------------------------------------------------------------------- /AzureSentinel/Exchange-ProxyShell-RBAC: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AzureSentinel/Exchange-ProxyShell-RBAC -------------------------------------------------------------------------------- /AzureSentinel/Exchange-ProxyShell-SSRF: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AzureSentinel/Exchange-ProxyShell-SSRF -------------------------------------------------------------------------------- /AzureSentinel/FindZeroLogon-DCSync: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AzureSentinel/FindZeroLogon-DCSync -------------------------------------------------------------------------------- /AzureSentinel/Successful-AITM-Phishing-Login: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AzureSentinel/Successful-AITM-Phishing-Login -------------------------------------------------------------------------------- /AzureSentinel/ZeroLogon-detect: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/AzureSentinel/ZeroLogon-detect -------------------------------------------------------------------------------- /EDR-BlockRules/CVE-2021-36934-HiveNightmare-Mcafee: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/EDR-BlockRules/CVE-2021-36934-HiveNightmare-Mcafee -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/README.md -------------------------------------------------------------------------------- /Threat hunting - Potential malware downloads v1.0.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/Threat hunting - Potential malware downloads v1.0.xml -------------------------------------------------------------------------------- /YARA/BPFDoor-Unknown.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/BPFDoor-Unknown.yar -------------------------------------------------------------------------------- /YARA/BazaLoaderBackdoor.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/BazaLoaderBackdoor.yar -------------------------------------------------------------------------------- /YARA/BazarLoaderBehaviour.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/BazarLoaderBehaviour.yar -------------------------------------------------------------------------------- /YARA/BlackKingdom.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/BlackKingdom.yar -------------------------------------------------------------------------------- /YARA/DragonForce-Payload.YAR: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/DragonForce-Payload.YAR -------------------------------------------------------------------------------- /YARA/EIW.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/EIW.yar -------------------------------------------------------------------------------- /YARA/Emotet.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/Emotet.yar -------------------------------------------------------------------------------- /YARA/GenericRansomware.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/GenericRansomware.yar -------------------------------------------------------------------------------- /YARA/GraceWireTA505.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/GraceWireTA505.yar -------------------------------------------------------------------------------- /YARA/Qakbot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/Qakbot.yar -------------------------------------------------------------------------------- /YARA/WastedGholish.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/WastedGholish.yar -------------------------------------------------------------------------------- /YARA/Zloader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/YARA/Zloader.yar -------------------------------------------------------------------------------- /porg.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GossiTheDog/ThreatHunting/HEAD/porg.jpg --------------------------------------------------------------------------------