├── .gitignore ├── LICENSE.md ├── README.md ├── extractors ├── README.md ├── lobshot │ ├── README.md │ ├── lobshot_config_extractor.py │ └── requirements.txt ├── redlinestealer │ ├── README.md │ └── redlinestealer_config_extractor.py ├── remcos │ ├── README.md │ └── remcos_configuration_extractor.py └── strelastealer │ └── strela_stealer_payload_extractor.py ├── indicators ├── README.md ├── app-bound_bypass │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── banshee │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── bitsloth │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── blister │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── confused_rat │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── ghostengine │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── ghostpulse │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── grimresource │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── guloader │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── jokerspy │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── lobshot │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── outlaw │ ├── README.md │ └── ecs-indicators.ndjson ├── pikabot │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── r77 │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── ref0657 │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── ref5961 │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── ref6138 │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── ref7001 │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── rustbucket │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── shelby-strategy │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── shellter │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── spectralviper │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json ├── tollbooth │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json └── warmcookie │ ├── README.md │ ├── ecs-indicators.ndjson │ └── stix-bundle.json └── tools ├── README.md ├── abyssworker └── client │ ├── CMakeLists.txt │ ├── README.md │ ├── main.c │ ├── main.h │ └── output.png ├── alcatraz ├── 0.find_custom_entrypoint.py ├── 1.remove_anti_disassembly.py ├── 2.deobfuscate_alcatraz.py ├── README.md ├── bin │ ├── all_techniques.bin │ ├── anti_disassembly.bin │ ├── cfg_flattening.bin │ ├── hidden_entrypoint.bin │ ├── immediate_mov.bin │ ├── lea_obfuscation.bin │ └── mutate.bin ├── images │ ├── clean_lea.png │ ├── constant_unfolding_fix.png │ ├── find_entrypoint.png │ ├── mutation_recovery.png │ └── patch_anti_disassembly.png ├── requirements.txt └── utils │ ├── __init__.py │ ├── common.py │ └── patterns.py ├── blister ├── README.md └── blister_payload_extractor.py ├── ghostpulse ├── README.md └── ghostpulse_payload_extractor.py ├── guloader ├── README.md └── guloader_FixCFG.py ├── icedid ├── README.md ├── decompress_file.py ├── decrypt_file.py ├── gzip-variant │ ├── context.example.json │ ├── core_payloads.yar │ ├── extract_gzip.py │ ├── extract_payloads_from_core.py │ ├── load_core.py │ └── read_configuration.py └── rebuild_pe.py ├── ida_scripts ├── README.md └── hexrays_examples │ ├── ctree_practical_example.py │ ├── ctree_traversal.py │ └── microcode_traversal.py ├── latrodectus ├── README.md └── latro_str_decrypt.py ├── malware_research ├── README.md ├── custom_pipelines.py ├── enrich_policy_setup.py ├── gsub_pipeline_json_object.py └── requirements.txt ├── shellter ├── README.md ├── ShellterUnpacker.bin └── ShellterUnpacker.cpp ├── stix-to-ecs ├── README.md ├── configuration.json ├── extra │ └── clean_stix.py ├── requirements.txt ├── stix_to_ecs.py └── test-inputs │ ├── cisa_sample_stix.json │ └── guloader_sample_stix.json └── warmcookie ├── README.md ├── images ├── decrypted.png ├── output.png └── warmcookie.png ├── warmcookie_http.py └── warmcookie_str_decrypt.py /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/.gitignore -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/LICENSE.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/README.md -------------------------------------------------------------------------------- /extractors/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/extractors/README.md -------------------------------------------------------------------------------- /extractors/lobshot/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/extractors/lobshot/README.md -------------------------------------------------------------------------------- /extractors/lobshot/lobshot_config_extractor.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/extractors/lobshot/lobshot_config_extractor.py -------------------------------------------------------------------------------- /extractors/lobshot/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/extractors/lobshot/requirements.txt -------------------------------------------------------------------------------- /extractors/redlinestealer/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/extractors/redlinestealer/README.md -------------------------------------------------------------------------------- /extractors/redlinestealer/redlinestealer_config_extractor.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/extractors/redlinestealer/redlinestealer_config_extractor.py -------------------------------------------------------------------------------- /extractors/remcos/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/extractors/remcos/README.md -------------------------------------------------------------------------------- /extractors/remcos/remcos_configuration_extractor.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/extractors/remcos/remcos_configuration_extractor.py -------------------------------------------------------------------------------- /extractors/strelastealer/strela_stealer_payload_extractor.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/extractors/strelastealer/strela_stealer_payload_extractor.py -------------------------------------------------------------------------------- /indicators/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/README.md -------------------------------------------------------------------------------- /indicators/app-bound_bypass/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/app-bound_bypass/README.md -------------------------------------------------------------------------------- /indicators/app-bound_bypass/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/app-bound_bypass/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/app-bound_bypass/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/app-bound_bypass/stix-bundle.json -------------------------------------------------------------------------------- /indicators/banshee/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/banshee/README.md -------------------------------------------------------------------------------- /indicators/banshee/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/banshee/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/banshee/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/banshee/stix-bundle.json -------------------------------------------------------------------------------- /indicators/bitsloth/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/bitsloth/README.md -------------------------------------------------------------------------------- /indicators/bitsloth/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/bitsloth/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/bitsloth/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/bitsloth/stix-bundle.json -------------------------------------------------------------------------------- /indicators/blister/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/blister/README.md -------------------------------------------------------------------------------- /indicators/blister/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/blister/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/blister/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/blister/stix-bundle.json -------------------------------------------------------------------------------- /indicators/confused_rat/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/confused_rat/README.md -------------------------------------------------------------------------------- /indicators/confused_rat/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/confused_rat/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/confused_rat/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/confused_rat/stix-bundle.json -------------------------------------------------------------------------------- /indicators/ghostengine/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ghostengine/README.md -------------------------------------------------------------------------------- /indicators/ghostengine/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ghostengine/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/ghostengine/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ghostengine/stix-bundle.json -------------------------------------------------------------------------------- /indicators/ghostpulse/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ghostpulse/README.md -------------------------------------------------------------------------------- /indicators/ghostpulse/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ghostpulse/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/ghostpulse/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ghostpulse/stix-bundle.json -------------------------------------------------------------------------------- /indicators/grimresource/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/grimresource/README.md -------------------------------------------------------------------------------- /indicators/grimresource/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/grimresource/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/grimresource/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/grimresource/stix-bundle.json -------------------------------------------------------------------------------- /indicators/guloader/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/guloader/README.md -------------------------------------------------------------------------------- /indicators/guloader/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/guloader/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/guloader/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/guloader/stix-bundle.json -------------------------------------------------------------------------------- /indicators/jokerspy/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/jokerspy/README.md -------------------------------------------------------------------------------- /indicators/jokerspy/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/jokerspy/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/jokerspy/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/jokerspy/stix-bundle.json -------------------------------------------------------------------------------- /indicators/lobshot/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/lobshot/README.md -------------------------------------------------------------------------------- /indicators/lobshot/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/lobshot/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/lobshot/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/lobshot/stix-bundle.json -------------------------------------------------------------------------------- /indicators/outlaw/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/outlaw/README.md -------------------------------------------------------------------------------- /indicators/outlaw/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/outlaw/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/pikabot/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/pikabot/README.md -------------------------------------------------------------------------------- /indicators/pikabot/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/pikabot/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/pikabot/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/pikabot/stix-bundle.json -------------------------------------------------------------------------------- /indicators/r77/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/r77/README.md -------------------------------------------------------------------------------- /indicators/r77/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/r77/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/r77/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/r77/stix-bundle.json -------------------------------------------------------------------------------- /indicators/ref0657/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref0657/README.md -------------------------------------------------------------------------------- /indicators/ref0657/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref0657/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/ref0657/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref0657/stix-bundle.json -------------------------------------------------------------------------------- /indicators/ref5961/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref5961/README.md -------------------------------------------------------------------------------- /indicators/ref5961/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref5961/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/ref5961/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref5961/stix-bundle.json -------------------------------------------------------------------------------- /indicators/ref6138/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref6138/README.md -------------------------------------------------------------------------------- /indicators/ref6138/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref6138/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/ref6138/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref6138/stix-bundle.json -------------------------------------------------------------------------------- /indicators/ref7001/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref7001/README.md -------------------------------------------------------------------------------- /indicators/ref7001/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref7001/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/ref7001/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/ref7001/stix-bundle.json -------------------------------------------------------------------------------- /indicators/rustbucket/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/rustbucket/README.md -------------------------------------------------------------------------------- /indicators/rustbucket/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/rustbucket/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/rustbucket/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/rustbucket/stix-bundle.json -------------------------------------------------------------------------------- /indicators/shelby-strategy/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/shelby-strategy/README.md -------------------------------------------------------------------------------- /indicators/shelby-strategy/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/shelby-strategy/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/shelby-strategy/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/shelby-strategy/stix-bundle.json -------------------------------------------------------------------------------- /indicators/shellter/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/shellter/README.md -------------------------------------------------------------------------------- /indicators/shellter/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/shellter/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/shellter/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/shellter/stix-bundle.json -------------------------------------------------------------------------------- /indicators/spectralviper/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/spectralviper/README.md -------------------------------------------------------------------------------- /indicators/spectralviper/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/spectralviper/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/spectralviper/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/spectralviper/stix-bundle.json -------------------------------------------------------------------------------- /indicators/tollbooth/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/tollbooth/README.md -------------------------------------------------------------------------------- /indicators/tollbooth/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/tollbooth/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/tollbooth/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/tollbooth/stix-bundle.json -------------------------------------------------------------------------------- /indicators/warmcookie/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/warmcookie/README.md -------------------------------------------------------------------------------- /indicators/warmcookie/ecs-indicators.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/warmcookie/ecs-indicators.ndjson -------------------------------------------------------------------------------- /indicators/warmcookie/stix-bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/indicators/warmcookie/stix-bundle.json -------------------------------------------------------------------------------- /tools/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/README.md -------------------------------------------------------------------------------- /tools/abyssworker/client/CMakeLists.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/abyssworker/client/CMakeLists.txt -------------------------------------------------------------------------------- /tools/abyssworker/client/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/abyssworker/client/README.md -------------------------------------------------------------------------------- /tools/abyssworker/client/main.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/abyssworker/client/main.c -------------------------------------------------------------------------------- /tools/abyssworker/client/main.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/abyssworker/client/main.h -------------------------------------------------------------------------------- /tools/abyssworker/client/output.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/abyssworker/client/output.png -------------------------------------------------------------------------------- /tools/alcatraz/0.find_custom_entrypoint.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/0.find_custom_entrypoint.py -------------------------------------------------------------------------------- /tools/alcatraz/1.remove_anti_disassembly.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/1.remove_anti_disassembly.py -------------------------------------------------------------------------------- /tools/alcatraz/2.deobfuscate_alcatraz.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/2.deobfuscate_alcatraz.py -------------------------------------------------------------------------------- /tools/alcatraz/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/README.md -------------------------------------------------------------------------------- /tools/alcatraz/bin/all_techniques.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/bin/all_techniques.bin -------------------------------------------------------------------------------- /tools/alcatraz/bin/anti_disassembly.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/bin/anti_disassembly.bin -------------------------------------------------------------------------------- /tools/alcatraz/bin/cfg_flattening.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/bin/cfg_flattening.bin -------------------------------------------------------------------------------- /tools/alcatraz/bin/hidden_entrypoint.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/bin/hidden_entrypoint.bin -------------------------------------------------------------------------------- /tools/alcatraz/bin/immediate_mov.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/bin/immediate_mov.bin -------------------------------------------------------------------------------- /tools/alcatraz/bin/lea_obfuscation.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/bin/lea_obfuscation.bin -------------------------------------------------------------------------------- /tools/alcatraz/bin/mutate.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/bin/mutate.bin -------------------------------------------------------------------------------- /tools/alcatraz/images/clean_lea.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/images/clean_lea.png -------------------------------------------------------------------------------- /tools/alcatraz/images/constant_unfolding_fix.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/images/constant_unfolding_fix.png -------------------------------------------------------------------------------- /tools/alcatraz/images/find_entrypoint.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/images/find_entrypoint.png -------------------------------------------------------------------------------- /tools/alcatraz/images/mutation_recovery.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/images/mutation_recovery.png -------------------------------------------------------------------------------- /tools/alcatraz/images/patch_anti_disassembly.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/images/patch_anti_disassembly.png -------------------------------------------------------------------------------- /tools/alcatraz/requirements.txt: -------------------------------------------------------------------------------- 1 | lief==0.14.0 2 | keystone-engine==0.9.2 -------------------------------------------------------------------------------- /tools/alcatraz/utils/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tools/alcatraz/utils/common.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/utils/common.py -------------------------------------------------------------------------------- /tools/alcatraz/utils/patterns.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/alcatraz/utils/patterns.py -------------------------------------------------------------------------------- /tools/blister/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/blister/README.md -------------------------------------------------------------------------------- /tools/blister/blister_payload_extractor.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/blister/blister_payload_extractor.py -------------------------------------------------------------------------------- /tools/ghostpulse/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/ghostpulse/README.md -------------------------------------------------------------------------------- /tools/ghostpulse/ghostpulse_payload_extractor.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/ghostpulse/ghostpulse_payload_extractor.py -------------------------------------------------------------------------------- /tools/guloader/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/guloader/README.md -------------------------------------------------------------------------------- /tools/guloader/guloader_FixCFG.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/guloader/guloader_FixCFG.py -------------------------------------------------------------------------------- /tools/icedid/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/icedid/README.md -------------------------------------------------------------------------------- /tools/icedid/decompress_file.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/icedid/decompress_file.py -------------------------------------------------------------------------------- /tools/icedid/decrypt_file.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/icedid/decrypt_file.py -------------------------------------------------------------------------------- /tools/icedid/gzip-variant/context.example.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/icedid/gzip-variant/context.example.json -------------------------------------------------------------------------------- /tools/icedid/gzip-variant/core_payloads.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/icedid/gzip-variant/core_payloads.yar -------------------------------------------------------------------------------- /tools/icedid/gzip-variant/extract_gzip.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/icedid/gzip-variant/extract_gzip.py -------------------------------------------------------------------------------- /tools/icedid/gzip-variant/extract_payloads_from_core.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/icedid/gzip-variant/extract_payloads_from_core.py -------------------------------------------------------------------------------- /tools/icedid/gzip-variant/load_core.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/icedid/gzip-variant/load_core.py -------------------------------------------------------------------------------- /tools/icedid/gzip-variant/read_configuration.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/icedid/gzip-variant/read_configuration.py -------------------------------------------------------------------------------- /tools/icedid/rebuild_pe.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/icedid/rebuild_pe.py -------------------------------------------------------------------------------- /tools/ida_scripts/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/ida_scripts/README.md -------------------------------------------------------------------------------- /tools/ida_scripts/hexrays_examples/ctree_practical_example.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/ida_scripts/hexrays_examples/ctree_practical_example.py -------------------------------------------------------------------------------- /tools/ida_scripts/hexrays_examples/ctree_traversal.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/ida_scripts/hexrays_examples/ctree_traversal.py -------------------------------------------------------------------------------- /tools/ida_scripts/hexrays_examples/microcode_traversal.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/ida_scripts/hexrays_examples/microcode_traversal.py -------------------------------------------------------------------------------- /tools/latrodectus/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/latrodectus/README.md -------------------------------------------------------------------------------- /tools/latrodectus/latro_str_decrypt.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/latrodectus/latro_str_decrypt.py -------------------------------------------------------------------------------- /tools/malware_research/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/malware_research/README.md -------------------------------------------------------------------------------- /tools/malware_research/custom_pipelines.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/malware_research/custom_pipelines.py -------------------------------------------------------------------------------- /tools/malware_research/enrich_policy_setup.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/malware_research/enrich_policy_setup.py -------------------------------------------------------------------------------- /tools/malware_research/gsub_pipeline_json_object.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/malware_research/gsub_pipeline_json_object.py -------------------------------------------------------------------------------- /tools/malware_research/requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | -------------------------------------------------------------------------------- /tools/shellter/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/shellter/README.md -------------------------------------------------------------------------------- /tools/shellter/ShellterUnpacker.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/shellter/ShellterUnpacker.bin -------------------------------------------------------------------------------- /tools/shellter/ShellterUnpacker.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/shellter/ShellterUnpacker.cpp -------------------------------------------------------------------------------- /tools/stix-to-ecs/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/stix-to-ecs/README.md -------------------------------------------------------------------------------- /tools/stix-to-ecs/configuration.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/stix-to-ecs/configuration.json -------------------------------------------------------------------------------- /tools/stix-to-ecs/extra/clean_stix.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/stix-to-ecs/extra/clean_stix.py -------------------------------------------------------------------------------- /tools/stix-to-ecs/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/stix-to-ecs/requirements.txt -------------------------------------------------------------------------------- /tools/stix-to-ecs/stix_to_ecs.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/stix-to-ecs/stix_to_ecs.py -------------------------------------------------------------------------------- /tools/stix-to-ecs/test-inputs/cisa_sample_stix.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/stix-to-ecs/test-inputs/cisa_sample_stix.json -------------------------------------------------------------------------------- /tools/stix-to-ecs/test-inputs/guloader_sample_stix.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/stix-to-ecs/test-inputs/guloader_sample_stix.json -------------------------------------------------------------------------------- /tools/warmcookie/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/warmcookie/README.md -------------------------------------------------------------------------------- /tools/warmcookie/images/decrypted.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/warmcookie/images/decrypted.png -------------------------------------------------------------------------------- /tools/warmcookie/images/output.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/warmcookie/images/output.png -------------------------------------------------------------------------------- /tools/warmcookie/images/warmcookie.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/warmcookie/images/warmcookie.png -------------------------------------------------------------------------------- /tools/warmcookie/warmcookie_http.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/warmcookie/warmcookie_http.py -------------------------------------------------------------------------------- /tools/warmcookie/warmcookie_str_decrypt.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/labs-releases/HEAD/tools/warmcookie/warmcookie_str_decrypt.py --------------------------------------------------------------------------------