├── CVEs_red_team_tools.md ├── LICENSE.txt ├── README.md ├── all-clam.ldb ├── all-hashes.csv ├── all-snort.rules ├── all-yara.yar ├── rules ├── ADPASSHUNT │ └── production │ │ ├── hxioc │ │ └── ADPASSHUNT (CREDENTIAL STEALER).ioc │ │ └── yara │ │ ├── APT_HackTool_MSIL_ADPassHunt_1.yar │ │ ├── APT_HackTool_MSIL_ADPassHunt_2.yar │ │ ├── CredTheft_MSIL_ADPassHunt_1.yar │ │ └── CredTheft_MSIL_ADPassHunt_2.yar ├── ALLTHETHINGS │ └── production │ │ └── yara │ │ └── Loader_MSIL_AllTheThings_1.yar ├── BASICPIPESHELL │ └── production │ │ ├── snort │ │ ├── Backdoor.SMB.BASICPIPESHELL.[05 00].rules │ │ ├── Backdoor.SMB.BASICPIPESHELL.[08 00].rules │ │ └── Backdoor.SMB.BASICPIPESHELL.[0b 00].rules │ │ └── yara │ │ └── APT_Backdoor_PS1_BASICPIPESHELL_1.yar ├── BEACON │ ├── production │ │ ├── hxioc │ │ │ ├── CobaltStrike Custom Config Artifacts.ioc │ │ │ ├── POTENTIAL COBALT STRIKE PROFILE (FAMILY).ioc │ │ │ ├── RENAMED MSBUILD.EXE BY ARGUMENTS (METHODOLOGY).ioc │ │ │ ├── RENAMED REGSVR32.EXE BY ARGUMENTS (METHODOLOGY).ioc │ │ │ ├── RENAMED WORKFLOW COMPILER BY FILE WRITE (METHODOLOGY).ioc │ │ │ └── SUSPICIOUS EXECUTION OF SEARCH INDEXER (METHODOLOGY).ioc │ │ └── snort │ │ │ ├── Backdoor.DNS.BEACON.[CSBundle DNS].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle CDN GET].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle MSOffice GET].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle MSOffice POST].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle MSOffice Server].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle Original GET].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle Original POST].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle Original Server 2].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle Original Server 3].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle Original Server].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle Original Stager 2].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle Original Stager].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle USAToday GET].rules │ │ │ ├── Backdoor.HTTP.BEACON.[CSBundle USAToday Server].rules │ │ │ ├── Backdoor.HTTP.BEACON.[Yelp GET].rules │ │ │ ├── Backdoor.HTTP.BEACON.[Yelp Request].rules │ │ │ └── Backdoor.SSL.BEACON.[CSBundle Ajax].rules │ └── supplemental │ │ ├── hxioc │ │ ├── SUSPICIOUS SYMERR PROCESS (METHODOLOGY).ioc │ │ └── SUSPICIOUS USE OF WORKFLOW COMPILER FOR PAYLOAD EXECUTION (METHODOLOGY).ioc │ │ └── yara │ │ ├── Loader_Win_Generic_17.yar │ │ ├── Loader_Win_Generic_18.yar │ │ ├── Trojan_Raw_Generic_4.yar │ │ └── Trojan_Win_Generic_101.yar ├── BELTALOWDA │ ├── production │ │ ├── hxioc │ │ │ └── SEATBELT (UTILITY).ioc │ │ └── yara │ │ │ ├── HackTool_MSIL_SEATBELT_1.yar │ │ │ └── HackTool_MSIL_SEATBELT_2.yar │ └── supplemental │ │ └── hxioc │ │ └── SEATBELT (UTILITY).ioc ├── COREHOUND │ └── production │ │ └── yara │ │ └── HackTool_MSIL_CoreHound_1.yar ├── DSHELL │ ├── production │ │ └── yara │ │ │ ├── APT_Backdoor_Win_DShell_1.yar │ │ │ ├── APT_Backdoor_Win_DShell_3.yar │ │ │ ├── APT_Loader_Win32_DShell_1.yar │ │ │ ├── APT_Loader_Win32_DShell_2.yar │ │ │ └── APT_Loader_Win32_DShell_3.yar │ └── supplemental │ │ └── yara │ │ └── APT_Backdoor_Win_DShell_2.yar ├── DTRIM │ └── production │ │ └── yara │ │ └── APT_HackTool_MSIL_DTRIM_1.yar ├── DUEDLLIGENCE │ ├── production │ │ ├── hxioc │ │ │ └── DueDLLigence FileWrites (Utility).ioc │ │ └── yara │ │ │ ├── HackTool_MSIL_HOLSTER_1.yar │ │ │ ├── Loader_MSIL_DUEDLLIGENCE_1.yar │ │ │ ├── Loader_MSIL_DUEDLLIGENCE_2.yar │ │ │ ├── Loader_MSIL_DUEDLLIGENCE_3.yar │ │ │ └── MSIL_Launcher_DUEDLLIGENCE_1.yar │ └── supplemental │ │ └── hxioc │ │ ├── LIBVLC.dll Hijack (Methodology).ioc │ │ ├── X32BRIDGE.dll Hijack (Methodology).ioc │ │ ├── anything.cpl Hijack (Methodology).ioc │ │ └── anything.dll Hijack (Methodology).ioc ├── EWSRT │ └── production │ │ └── clamav │ │ ├── HackTool_HTML_EWSRT_1.ldb │ │ ├── HackTool_HTML_EWSRT_2.ldb │ │ ├── HackTool_PS1_EWSRT_1.ldb │ │ └── HackTool_PS1_EWSRT_2.ldb ├── EXCAVATOR │ ├── production │ │ ├── hxioc │ │ │ ├── EXCAVATOR (UTILITY).ioc │ │ │ └── Excavator Memory Dump (Utility).ioc │ │ └── yara │ │ │ ├── APT_HackTool_Win64_EXCAVATOR_1.yar │ │ │ ├── APT_HackTool_Win64_EXCAVATOR_2.yar │ │ │ ├── CredTheft_Win_EXCAVATOR_1.yar │ │ │ └── CredTheft_Win_EXCAVATOR_2.yar │ └── supplemental │ │ └── yara │ │ ├── Trojan_Win64_Generic_22.yar │ │ └── Trojan_Win64_Generic_23.yar ├── FLUFFY │ └── production │ │ ├── snort │ │ ├── HackTool.TCP.Rubeus.[User32LogonProcesss].rules │ │ ├── HackTool.TCP.Rubeus.[nonce 2].rules │ │ ├── HackTool.TCP.Rubeus.[nonce].rules │ │ ├── HackTool.UDP.Rubeus.[nonce 2].rules │ │ └── HackTool.UDP.Rubeus.[nonce].rules │ │ └── yara │ │ ├── APT_HackTool_MSIL_FLUFFY_1.yar │ │ └── APT_HackTool_MSIL_FLUFFY_2.yar ├── G2JS │ ├── production │ │ ├── hxioc │ │ │ ├── GADGETTOJSCRIPT PAYLOAD (UTILITY).ioc │ │ │ ├── SUSPICIOUS EXECUTION OF COLORCPL.EXE (METHODOLOGY).ioc │ │ │ └── Suspicious Process Tree (Methodology).ioc │ │ └── yara │ │ │ ├── Builder_MSIL_G2JS_1.yar │ │ │ ├── Hunting_B64Engine_DotNetToJScript_Dos.yar │ │ │ ├── Hunting_DotNetToJScript_Functions.yar │ │ │ └── Hunting_GadgetToJScript_1.yar │ └── supplemental │ │ └── clamav │ │ ├── Trojan_Script_Generic_1.ldb │ │ ├── Trojan_Script_Generic_2.ldb │ │ └── Trojan_Script_Generic_3.ldb ├── GETDOMAINPASSWORDPOLICY │ └── production │ │ └── yara │ │ └── HackTool_MSIL_GETDOMAINPASSWORDPOLICY_1.yar ├── GPOHUNT │ └── production │ │ └── yara │ │ └── APT_HackTool_MSIL_GPOHUNT_1.yar ├── IMPACKETOBF (Smbexec) │ └── production │ │ ├── snort │ │ └── Methodology.SMB.Impacket-Obfuscation.[Service Names].rules │ │ └── yara │ │ └── HackTool_PY_ImpacketObfuscation_1.yar ├── IMPACKETOBF (Wmiexec) │ └── production │ │ └── yara │ │ └── HackTool_PY_ImpacketObfuscation_2.yar ├── IMPACKETOBF │ └── production │ │ ├── clamav │ │ ├── APT_HackTool_PY_ImpacketObfuscation_2.ldb │ │ └── HackTool_PY_ImpacketObfuscation_1.ldb │ │ └── hxioc │ │ ├── IMPACKET-OBFUSCATION SMBEXEC (UTILITY).ioc │ │ ├── IMPACKET-OBFUSCATION WMIEXEC (UTILITY).ioc │ │ ├── Obfuscacted Impacket wmiexec (Utility).ioc │ │ └── Obfuscated Impacket smbexec (Utility).ioc ├── INVEIGHZERO │ └── production │ │ └── yara │ │ └── HackTool_MSIL_INVEIGHZERO_1.yar ├── JUSTASK │ └── production │ │ └── yara │ │ └── APT_HackTool_MSIL_JUSTASK_1.yar ├── KEEFARCE │ └── production │ │ └── yara │ │ └── HackTool_MSIL_KeeFarce_1.yar ├── KEEPERSIST │ └── production │ │ └── yara │ │ └── HackTool_MSIL_KeePersist_1.yar ├── LNKSMASHER │ ├── production │ │ ├── clamav │ │ │ ├── APT_Builder_PY_LNKSMASHER_1.ldb │ │ │ ├── APT_Trojan_LNK_LNKSMASHER_1.ldb │ │ │ └── APT_Trojan_LNK_LNKSMASHER_2.ldb │ │ ├── hxioc │ │ │ └── LNKSMASHER COMMANDS.ioc │ │ └── yara │ │ │ └── Dropper_LNK_LNKSmasher_1.yar │ └── supplemental │ │ ├── hxioc │ │ └── LNK SMASHER (UTILITY).ioc │ │ └── yara │ │ └── Hunting_LNK_Win_GenericLauncher.yar ├── LUALOADER │ └── production │ │ └── yara │ │ ├── APT_HackTool_MSIL_LUALOADER_1.yar │ │ ├── APT_Loader_MSIL_LUALOADER_1.yar │ │ └── APT_Loader_MSIL_LUALOADER_2.yar ├── MATRYOSHKA │ └── production │ │ ├── clamav │ │ └── APT_Builder_PY_MATRYOSHKA_1.ldb │ │ └── yara │ │ ├── APT_Builder_PY_MATRYOSHKA_1.yar │ │ ├── APT_Builder_Win64_MATRYOSHKA_1.yar │ │ ├── APT_Dropper_Win64_MATRYOSHKA_1.yar │ │ ├── APT_Dropper_Win_MATRYOSHKA_1.yar │ │ ├── APT_Loader_Win64_MATRYOSHKA_1.yar │ │ ├── APT_Loader_Win64_MATRYOSHKA_2.yar │ │ └── APT_Loader_Win_MATRYOSHKA_1.yar ├── MEMCOMP │ └── production │ │ └── yara │ │ └── Loader_MSIL_InMemoryCompilation_1.yar ├── MOFCOMP │ └── production │ │ └── hxioc │ │ └── Suspicious MOF File.ioc ├── MSBUILDME │ └── supplemental │ │ └── hxioc │ │ └── USERINIT PROCESS LAUNCH BY MSBUILD.EXE (METHODOLOGY).ioc ├── NETASSEMBLYINJECT │ └── production │ │ └── yara │ │ └── Loader_MSIL_NETAssemblyInject_1.yar ├── NETSHSHELLCODERUNNER │ └── production │ │ └── yara │ │ └── Loader_MSIL_NetshShellCodeRunner_1.yar ├── NOAMCI │ └── production │ │ └── yara │ │ └── APT_HackTool_MSIL_NOAMCI_1.yar ├── PGF │ ├── production │ │ ├── clamav │ │ │ ├── APT_Builder_PY_PGF_1.ldb │ │ │ ├── APT_Loader_CSPROJ_PGF_1.ldb │ │ │ ├── APT_Loader_TT_PGF_1.ldb │ │ │ └── APT_Loader_XOML_PGF_1.ldb │ │ ├── hxioc │ │ │ ├── INSTALLUTIL APP WHITELISTING BYPASS (METHODOLOGY).ioc │ │ │ └── PayloadGenerationFramework FileWrites (Utility).ioc │ │ └── yara │ │ │ ├── APT_Loader_MSIL_PGF_1.yar │ │ │ ├── APT_Loader_MSIL_PGF_2.yar │ │ │ ├── APT_Loader_Win32_PGF_1.yar │ │ │ ├── APT_Loader_Win32_PGF_2.yar │ │ │ ├── APT_Loader_Win32_PGF_3.yar │ │ │ ├── APT_Loader_Win32_PGF_4.yar │ │ │ ├── APT_Loader_Win32_PGF_5.yar │ │ │ ├── APT_Loader_Win64_PGF_1.yar │ │ │ ├── APT_Loader_Win64_PGF_2.yar │ │ │ ├── APT_Loader_Win64_PGF_3.yar │ │ │ ├── APT_Loader_Win64_PGF_4.yar │ │ │ ├── APT_Loader_Win64_PGF_5.yar │ │ │ ├── APT_Loader_Win_PGF_1.yar │ │ │ └── APT_Loader_Win_PGF_2.yar │ └── supplemental │ │ └── hxioc │ │ ├── CONTROL PANEL ITEMS (METHODOLOGY).ioc │ │ ├── DISM EXECUTION IN SUSPICIOUS LOCATION (METHODOLOGY).ioc │ │ ├── DISM NETWORK ACTIVITY (METHODOLOGY).ioc │ │ ├── INSTALLUTIL CHILD PROCESS (METHODOLOGY).ioc │ │ ├── LOLBIN EXECUTION (METHODOLOGY).ioc │ │ ├── NETSH EXECUTION (METHODOLOGY).ioc │ │ ├── POSSIBLE SRPROXY SIDE-LOADING (METHODOLOGY).ioc │ │ ├── PackageIdentification.dll Hijack (Methodology).ioc │ │ ├── PotPlayer.dll Hijack (Methodology).ioc │ │ ├── REGASM PARENT PROCESS (METHODOLOGY).ioc │ │ ├── RUNDLL32 EXECUTION (METHODOLOGY).ioc │ │ ├── SUSPICIOUS DLL LOAD (METHODOLOGY).ioc │ │ ├── SUSPICIOUS EXECUTION OF SEARCHPROTOCOLHOST (METHODOLOGY).ioc │ │ ├── TEXTTRANSFORM PARENT PROCESS (METHODOLOGY).ioc │ │ ├── Wdscore.dll Hijack (Methodology).ioc │ │ ├── api-ms-win-downlevel-shell32-l1-1-0.dll Hijack (Methodology).ioc │ │ ├── ashldres.dll Hijack (Methodology).ioc │ │ ├── ccl110u.dll Hijack (Methodology).ioc │ │ ├── cclib.dll Hijack (Methodology).ioc │ │ ├── chrome_frame_helper.dll Hijack (Methodology).ioc │ │ ├── crshhndl.dll Hijack (Methodology).ioc │ │ ├── dismcore.dll Hijack (Methodology).ioc │ │ ├── dwmapi.dll Hijack (Methodology).ioc │ │ ├── elogger.dll Hijack (Methodology).ioc │ │ ├── fmtoptions.dll Hijack (Methodology).ioc │ │ ├── goopdate.dll Hijack (Methodology).ioc │ │ ├── hpcustpartui.dll Hijack (Methodology).ioc │ │ ├── mcutil.dll Hijack (Methodology).ioc │ │ ├── mscorsvc.dll Hijack (Methodology).ioc │ │ ├── msi.dll Hijack (Methodology).ioc │ │ ├── nflogger.dll Hijack (Methodology).ioc │ │ ├── pc2msupp.dll Hijack (Methodology).ioc │ │ ├── pt1.aym Hijack (Methodology).ioc │ │ ├── sidebar.dll Hijack (Methodology).ioc │ │ ├── splash_screen.dll Hijack (Methodology).ioc │ │ ├── tmas_wlmhook.dll Hijack (Methodology).ioc │ │ ├── ui.dll Hijack (Methodology).ioc │ │ └── ushata.dll Hijack (Methodology).ioc ├── PREPSHELLCODE │ └── production │ │ └── yara │ │ └── HackTool_MSIL_PrepShellcode_1.yar ├── PUPPYHOUND │ └── production │ │ └── yara │ │ ├── HackTool_MSIL_PuppyHound_1.yar │ │ └── HackTool_MSIL_SharpHound_3.yar ├── PXELOOT │ └── production │ │ ├── hxioc │ │ ├── PAX dism WIM mount (utility).ioc │ │ └── PXELOOT (UTILITY).ioc │ │ └── yara │ │ ├── HackTool_MSIL_PXELOOT_1.yar │ │ └── HackTool_MSIL_PXELOOT_2.yar ├── REDFLARE (Gorat) │ └── production │ │ ├── snort │ │ ├── Backdoor.HTTP.GORAT.[Build ID].rules │ │ ├── Backdoor.HTTP.GORAT.[HTTP Response].rules │ │ ├── Backdoor.HTTP.GORAT.[POST Content].rules │ │ ├── Backdoor.HTTP.GORAT.[POST].rules │ │ ├── Backdoor.HTTP.GORAT.[SID1].rules │ │ └── Backdoor.HTTP.GORAT.[SSL Cert].rules │ │ └── yara │ │ ├── APT_Backdoor_MacOS_GORAT_1.yar │ │ ├── APT_Backdoor_Win_GORAT_1.yar │ │ ├── APT_Backdoor_Win_GORAT_2.yar │ │ ├── APT_Backdoor_Win_GORAT_3.yar │ │ ├── APT_Backdoor_Win_GORAT_4.yar │ │ ├── APT_Backdoor_Win_GORAT_5.yar │ │ ├── APT_Backdoor_Win_GoRat_Memory.yar │ │ ├── Trojan_MSIL_GORAT_Module_PowerShell_1.yar │ │ └── Trojan_MSIL_GORAT_Plugin_DOTNET_1.yar ├── REDFLARE │ ├── production │ │ └── yara │ │ │ ├── APT_Builder_PY_REDFLARE_1.yar │ │ │ ├── APT_Builder_PY_REDFLARE_2.yar │ │ │ ├── APT_Controller_Linux_REDFLARE_1.yar │ │ │ ├── APT_Downloader_Win32_REDFLARE_1.yar │ │ │ ├── APT_Downloader_Win64_REDFLARE_1.yar │ │ │ ├── APT_Keylogger_Win32_REDFLARE_1.yar │ │ │ ├── APT_Keylogger_Win64_REDFLARE_1.yar │ │ │ ├── APT_Loader_Raw32_REDFLARE_1.yar │ │ │ ├── APT_Loader_Raw64_REDFLARE_1.yar │ │ │ ├── APT_Loader_Win32_REDFLARE_1.yar │ │ │ ├── APT_Loader_Win32_REDFLARE_2.yar │ │ │ ├── APT_Loader_Win64_REDFLARE_1.yar │ │ │ ├── APT_Loader_Win64_REDFLARE_2.yar │ │ │ ├── APT_Trojan_Win_REDFLARE_1.yar │ │ │ ├── APT_Trojan_Win_REDFLARE_2.yar │ │ │ ├── APT_Trojan_Win_REDFLARE_3.yar │ │ │ ├── APT_Trojan_Win_REDFLARE_4.yar │ │ │ ├── APT_Trojan_Win_REDFLARE_5.yar │ │ │ ├── APT_Trojan_Win_REDFLARE_7.yar │ │ │ └── APT_Trojan_Win_REDFLARE_8.yar │ └── supplemental │ │ └── yara │ │ ├── APT_Trojan_Linux_REDFLARE_1.yar │ │ └── APT_Trojan_Win_REDFLARE_6.yar ├── RESUMEPLEASE │ └── production │ │ ├── clamav │ │ └── Trojan_Macro_RESUMEPLEASE_1.ldb │ │ └── yara │ │ └── Trojan_Macro_RESUMEPLEASE_1.yar ├── REVOLVER │ └── production │ │ └── yara │ │ ├── APT_HackTool_MSIL_REVOLVER_1.yar │ │ └── APT_Loader_MSIL_REVOLVER_1.yar ├── RUBEUS │ └── production │ │ └── yara │ │ └── HackTool_MSIL_Rubeus_1.yar ├── SAFETYKATZ │ └── production │ │ ├── hxioc │ │ ├── SAFETYKATZ (CREDENTIAL STEALER).ioc │ │ └── SafetyKatz A (Credential Stealer).ioc │ │ └── yara │ │ └── HackTool_MSIL_SAFETYKATZ_4.yar ├── SHARPERSIST │ ├── production │ │ ├── hxioc │ │ │ ├── SHARPERSIST (UTILITY).ioc │ │ │ ├── SHARPERSIST A (UTILITY).ioc │ │ │ ├── Service Failure Abuse (Methodology).ioc │ │ │ └── SharPersist B (utility).ioc │ │ └── yara │ │ │ ├── HackTool_MSIL_SharPersist_1.yar │ │ │ └── HackTool_MSIL_SharPersist_2.yar │ └── supplemental │ │ └── hxioc │ │ ├── COM CLSID registry activity (METHODOLOGY).ioc │ │ └── HOTKEY PERSISTENCE (METHODOLOGY).ioc ├── SHARPGENERATOR │ └── production │ │ └── yara │ │ └── Builder_MSIL_SharpGenerator_1.yar ├── SHARPIVOT │ └── production │ │ ├── hxioc │ │ ├── Possible Handler Poisoning (Methodology).ioc │ │ └── SHARPIVOT (UTILITY).ioc │ │ └── yara │ │ ├── HackTool_MSIL_SharPivot_1.yar │ │ ├── HackTool_MSIL_SharPivot_2.yar │ │ ├── HackTool_MSIL_SharPivot_3.yar │ │ └── HackTool_MSIL_SharPivot_4.yar ├── SHARPPGREP │ └── production │ │ └── yara │ │ └── Tool_MSIL_SharpGrep_1.yar ├── SHARPSACK │ └── production │ │ └── yara │ │ └── APT_HackTool_MSIL_SHARPSACK_1.yar ├── SHARPSCHTASK │ └── production │ │ └── yara │ │ └── HackTool_MSIL_SharpSchtask_1.yar ├── SHARPSECTIONINJECTION │ └── production │ │ └── yara │ │ └── Loader_MSIL_CSharpSectionInjection_1.yar ├── SHARPSTOMP │ └── production │ │ ├── hxioc │ │ └── SHARPSTOMP (UTILITY).ioc │ │ └── yara │ │ ├── APT_HackTool_MSIL_SHARPSTOMP_1.yar │ │ ├── APT_HackTool_MSIL_SHARPSTOMP_2.yar │ │ └── HackTool_MSIL_SharpStomp_1.yar ├── SHARPUTILS │ └── production │ │ └── yara │ │ └── Tool_MSIL_CSharpUtils_1.yar ├── SHARPY │ └── production │ │ └── yara │ │ └── Loader_MSIL_SharPy_1.yar ├── SHARPZEROLOGON │ └── production │ │ └── yara │ │ └── HackTool_MSIL_SHARPZEROLOGON_1.yar ├── SINFULOFFICE │ ├── production │ │ └── yara │ │ │ └── Builder_MSIL_SinfulOffice_1.yar │ └── supplemental │ │ └── yara │ │ └── Methodology_OLE_CHARENCODING_2.yar ├── TITOSPECIAL │ └── production │ │ ├── hxioc │ │ └── TitoSpecial Memory Dump (Credential Stealer).ioc │ │ └── yara │ │ ├── APT_HackTool_MSIL_TITOSPECIAL_1.yar │ │ ├── CredTheft_MSIL_TitoSpecial_1.yar │ │ ├── CredTheft_MSIL_TitoSpecial_2.yar │ │ ├── HackTool_Win32_AndrewSpecial_1.yar │ │ └── HackTool_Win64_AndrewSpecial_1.yar ├── TRIMBISHOP │ ├── new │ │ └── yara │ │ │ ├── Loader_MSIL_RURALBISHOP_1.yar │ │ │ └── Loader_MSIL_RURALBISHOP_2.yar │ └── production │ │ └── yara │ │ ├── APT_Loader_MSIL_TRIMBISHOP_1.yar │ │ ├── APT_Loader_MSIL_TRIMBISHOP_2.yar │ │ ├── Loader_MSIL_RuralBishop_3.yar │ │ └── Loader_MSIL_TrimBishop_1.yar ├── UNCATEGORIZED │ ├── production │ │ ├── hxioc │ │ │ ├── DISM.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc │ │ │ ├── SEARCHPROTOCOLHOST.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc │ │ │ └── WERFAULT.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc │ │ └── yara │ │ │ ├── APT_HackTool_MSIL_DNSOVERHTTPS_C2_1.yar │ │ │ ├── APT_HackTool_MSIL_MODIFIEDSHARPVIEW_1.yar │ │ │ ├── APT_HackTool_MSIL_PRAT_1.yar │ │ │ ├── APT_HackTool_MSIL_REDTEAMMATERIALS_1.yar │ │ │ ├── APT_HackTool_MSIL_SHARPDACL_1.yar │ │ │ ├── APT_HackTool_MSIL_SHARPDNS_1.yar │ │ │ ├── APT_HackTool_MSIL_SHARPGOPHER_1.yar │ │ │ ├── APT_HackTool_MSIL_SHARPNATIVEZIPPER_1.yar │ │ │ ├── APT_HackTool_MSIL_SHARPNFS_1.yar │ │ │ ├── APT_HackTool_MSIL_SHARPPATCHCHECK_1.yar │ │ │ ├── APT_HackTool_MSIL_SHARPSQLCLIENT_1.yar │ │ │ ├── APT_HackTool_MSIL_SHARPTEMPLATE_1.yar │ │ │ ├── APT_HackTool_MSIL_SHARPWEBCRAWLER_1.yar │ │ │ ├── APT_HackTool_MSIL_SHARPZIPLIBZIPPER_1.yar │ │ │ ├── CredTheft_MSIL_CredSnatcher_1.yar │ │ │ └── CredTheft_MSIL_WCMDump_1.yar │ └── supplemental │ │ ├── clamav │ │ ├── Dropper_HTA_Generic_1.ldb │ │ ├── Trojan_HTA_Generic_1.ldb │ │ ├── Trojan_PS1_Generic_4.ldb │ │ ├── Trojan_PY_Generic_1.ldb │ │ └── Trojan_VBS_Generic_4.ldb │ │ └── yara │ │ ├── Loader_MSIL_Generic_1.yar │ │ ├── Loader_Win_Generic_19.yar │ │ └── Loader_Win_Generic_20.yar ├── WEAPONIZE │ └── supplemental │ │ └── hxioc │ │ └── SUSPICIOUS EXECUTION OF TSTHEME.EXE (METHODOLOGY).ioc ├── WILDCHILD │ └── production │ │ ├── hxioc │ │ └── WildChild Filewrite (Utility).ioc │ │ └── yara │ │ ├── APT_Loader_MSIL_WILDCHILD_1.yar │ │ ├── Dropper_HTA_WildChild_1.yar │ │ └── Loader_MSIL_WildChild_1.yar ├── WMIRUNNER │ └── production │ │ └── yara │ │ └── Loader_MSIL_WMIRunner_1.yar ├── WMISHARP │ └── production │ │ └── yara │ │ └── HackTool_MSIL_WMISharp_1.yar └── WMISPY │ └── production │ └── yara │ ├── APT_HackTool_MSIL_WMISPY_2.yar │ └── HackTool_MSIL_WMIspy_1.yar └── signatures_table_of_content.csv /CVEs_red_team_tools.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/CVEs_red_team_tools.md -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/LICENSE.txt -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/README.md -------------------------------------------------------------------------------- /all-clam.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/all-clam.ldb -------------------------------------------------------------------------------- /all-hashes.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/all-hashes.csv -------------------------------------------------------------------------------- /all-snort.rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/all-snort.rules -------------------------------------------------------------------------------- /all-yara.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/all-yara.yar -------------------------------------------------------------------------------- /rules/ADPASSHUNT/production/hxioc/ADPASSHUNT (CREDENTIAL STEALER).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/ADPASSHUNT/production/hxioc/ADPASSHUNT (CREDENTIAL STEALER).ioc -------------------------------------------------------------------------------- /rules/ADPASSHUNT/production/yara/APT_HackTool_MSIL_ADPassHunt_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/ADPASSHUNT/production/yara/APT_HackTool_MSIL_ADPassHunt_1.yar -------------------------------------------------------------------------------- /rules/ADPASSHUNT/production/yara/APT_HackTool_MSIL_ADPassHunt_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/ADPASSHUNT/production/yara/APT_HackTool_MSIL_ADPassHunt_2.yar -------------------------------------------------------------------------------- /rules/ADPASSHUNT/production/yara/CredTheft_MSIL_ADPassHunt_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/ADPASSHUNT/production/yara/CredTheft_MSIL_ADPassHunt_1.yar -------------------------------------------------------------------------------- /rules/ADPASSHUNT/production/yara/CredTheft_MSIL_ADPassHunt_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/ADPASSHUNT/production/yara/CredTheft_MSIL_ADPassHunt_2.yar -------------------------------------------------------------------------------- /rules/ALLTHETHINGS/production/yara/Loader_MSIL_AllTheThings_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/ALLTHETHINGS/production/yara/Loader_MSIL_AllTheThings_1.yar -------------------------------------------------------------------------------- /rules/BASICPIPESHELL/production/snort/Backdoor.SMB.BASICPIPESHELL.[05 00].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BASICPIPESHELL/production/snort/Backdoor.SMB.BASICPIPESHELL.[05 00].rules -------------------------------------------------------------------------------- /rules/BASICPIPESHELL/production/snort/Backdoor.SMB.BASICPIPESHELL.[08 00].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BASICPIPESHELL/production/snort/Backdoor.SMB.BASICPIPESHELL.[08 00].rules -------------------------------------------------------------------------------- /rules/BASICPIPESHELL/production/snort/Backdoor.SMB.BASICPIPESHELL.[0b 00].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BASICPIPESHELL/production/snort/Backdoor.SMB.BASICPIPESHELL.[0b 00].rules -------------------------------------------------------------------------------- /rules/BASICPIPESHELL/production/yara/APT_Backdoor_PS1_BASICPIPESHELL_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BASICPIPESHELL/production/yara/APT_Backdoor_PS1_BASICPIPESHELL_1.yar -------------------------------------------------------------------------------- /rules/BEACON/production/hxioc/CobaltStrike Custom Config Artifacts.ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/hxioc/CobaltStrike Custom Config Artifacts.ioc -------------------------------------------------------------------------------- /rules/BEACON/production/hxioc/POTENTIAL COBALT STRIKE PROFILE (FAMILY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/hxioc/POTENTIAL COBALT STRIKE PROFILE (FAMILY).ioc -------------------------------------------------------------------------------- /rules/BEACON/production/hxioc/RENAMED MSBUILD.EXE BY ARGUMENTS (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/hxioc/RENAMED MSBUILD.EXE BY ARGUMENTS (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/BEACON/production/hxioc/RENAMED REGSVR32.EXE BY ARGUMENTS (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/hxioc/RENAMED REGSVR32.EXE BY ARGUMENTS (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/BEACON/production/hxioc/RENAMED WORKFLOW COMPILER BY FILE WRITE (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/hxioc/RENAMED WORKFLOW COMPILER BY FILE WRITE (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/BEACON/production/hxioc/SUSPICIOUS EXECUTION OF SEARCH INDEXER (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/hxioc/SUSPICIOUS EXECUTION OF SEARCH INDEXER (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.DNS.BEACON.[CSBundle DNS].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.DNS.BEACON.[CSBundle DNS].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle CDN GET].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle CDN GET].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle MSOffice GET].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle MSOffice GET].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle MSOffice POST].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle MSOffice POST].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle MSOffice Server].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle MSOffice Server].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original GET].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original GET].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original POST].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original POST].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original Server 2].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original Server 2].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original Server 3].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original Server 3].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original Server].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original Server].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original Stager 2].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original Stager 2].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original Stager].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle Original Stager].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle USAToday GET].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle USAToday GET].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle USAToday Server].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[CSBundle USAToday Server].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[Yelp GET].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[Yelp GET].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[Yelp Request].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.HTTP.BEACON.[Yelp Request].rules -------------------------------------------------------------------------------- /rules/BEACON/production/snort/Backdoor.SSL.BEACON.[CSBundle Ajax].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/production/snort/Backdoor.SSL.BEACON.[CSBundle Ajax].rules -------------------------------------------------------------------------------- /rules/BEACON/supplemental/hxioc/SUSPICIOUS SYMERR PROCESS (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/supplemental/hxioc/SUSPICIOUS SYMERR PROCESS (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/BEACON/supplemental/hxioc/SUSPICIOUS USE OF WORKFLOW COMPILER FOR PAYLOAD EXECUTION (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/supplemental/hxioc/SUSPICIOUS USE OF WORKFLOW COMPILER FOR PAYLOAD EXECUTION (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/BEACON/supplemental/yara/Loader_Win_Generic_17.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/supplemental/yara/Loader_Win_Generic_17.yar -------------------------------------------------------------------------------- /rules/BEACON/supplemental/yara/Loader_Win_Generic_18.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/supplemental/yara/Loader_Win_Generic_18.yar -------------------------------------------------------------------------------- /rules/BEACON/supplemental/yara/Trojan_Raw_Generic_4.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/supplemental/yara/Trojan_Raw_Generic_4.yar -------------------------------------------------------------------------------- /rules/BEACON/supplemental/yara/Trojan_Win_Generic_101.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BEACON/supplemental/yara/Trojan_Win_Generic_101.yar -------------------------------------------------------------------------------- /rules/BELTALOWDA/production/hxioc/SEATBELT (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BELTALOWDA/production/hxioc/SEATBELT (UTILITY).ioc -------------------------------------------------------------------------------- /rules/BELTALOWDA/production/yara/HackTool_MSIL_SEATBELT_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BELTALOWDA/production/yara/HackTool_MSIL_SEATBELT_1.yar -------------------------------------------------------------------------------- /rules/BELTALOWDA/production/yara/HackTool_MSIL_SEATBELT_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BELTALOWDA/production/yara/HackTool_MSIL_SEATBELT_2.yar -------------------------------------------------------------------------------- /rules/BELTALOWDA/supplemental/hxioc/SEATBELT (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/BELTALOWDA/supplemental/hxioc/SEATBELT (UTILITY).ioc -------------------------------------------------------------------------------- /rules/COREHOUND/production/yara/HackTool_MSIL_CoreHound_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/COREHOUND/production/yara/HackTool_MSIL_CoreHound_1.yar -------------------------------------------------------------------------------- /rules/DSHELL/production/yara/APT_Backdoor_Win_DShell_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DSHELL/production/yara/APT_Backdoor_Win_DShell_1.yar -------------------------------------------------------------------------------- /rules/DSHELL/production/yara/APT_Backdoor_Win_DShell_3.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DSHELL/production/yara/APT_Backdoor_Win_DShell_3.yar -------------------------------------------------------------------------------- /rules/DSHELL/production/yara/APT_Loader_Win32_DShell_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DSHELL/production/yara/APT_Loader_Win32_DShell_1.yar -------------------------------------------------------------------------------- /rules/DSHELL/production/yara/APT_Loader_Win32_DShell_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DSHELL/production/yara/APT_Loader_Win32_DShell_2.yar -------------------------------------------------------------------------------- /rules/DSHELL/production/yara/APT_Loader_Win32_DShell_3.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DSHELL/production/yara/APT_Loader_Win32_DShell_3.yar -------------------------------------------------------------------------------- /rules/DSHELL/supplemental/yara/APT_Backdoor_Win_DShell_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DSHELL/supplemental/yara/APT_Backdoor_Win_DShell_2.yar -------------------------------------------------------------------------------- /rules/DTRIM/production/yara/APT_HackTool_MSIL_DTRIM_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DTRIM/production/yara/APT_HackTool_MSIL_DTRIM_1.yar -------------------------------------------------------------------------------- /rules/DUEDLLIGENCE/production/hxioc/DueDLLigence FileWrites (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DUEDLLIGENCE/production/hxioc/DueDLLigence FileWrites (Utility).ioc -------------------------------------------------------------------------------- /rules/DUEDLLIGENCE/production/yara/HackTool_MSIL_HOLSTER_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DUEDLLIGENCE/production/yara/HackTool_MSIL_HOLSTER_1.yar -------------------------------------------------------------------------------- /rules/DUEDLLIGENCE/production/yara/Loader_MSIL_DUEDLLIGENCE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DUEDLLIGENCE/production/yara/Loader_MSIL_DUEDLLIGENCE_1.yar -------------------------------------------------------------------------------- /rules/DUEDLLIGENCE/production/yara/Loader_MSIL_DUEDLLIGENCE_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DUEDLLIGENCE/production/yara/Loader_MSIL_DUEDLLIGENCE_2.yar -------------------------------------------------------------------------------- /rules/DUEDLLIGENCE/production/yara/Loader_MSIL_DUEDLLIGENCE_3.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DUEDLLIGENCE/production/yara/Loader_MSIL_DUEDLLIGENCE_3.yar -------------------------------------------------------------------------------- /rules/DUEDLLIGENCE/production/yara/MSIL_Launcher_DUEDLLIGENCE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DUEDLLIGENCE/production/yara/MSIL_Launcher_DUEDLLIGENCE_1.yar -------------------------------------------------------------------------------- /rules/DUEDLLIGENCE/supplemental/hxioc/LIBVLC.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DUEDLLIGENCE/supplemental/hxioc/LIBVLC.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/DUEDLLIGENCE/supplemental/hxioc/X32BRIDGE.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DUEDLLIGENCE/supplemental/hxioc/X32BRIDGE.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/DUEDLLIGENCE/supplemental/hxioc/anything.cpl Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DUEDLLIGENCE/supplemental/hxioc/anything.cpl Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/DUEDLLIGENCE/supplemental/hxioc/anything.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/DUEDLLIGENCE/supplemental/hxioc/anything.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/EWSRT/production/clamav/HackTool_HTML_EWSRT_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EWSRT/production/clamav/HackTool_HTML_EWSRT_1.ldb -------------------------------------------------------------------------------- /rules/EWSRT/production/clamav/HackTool_HTML_EWSRT_2.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EWSRT/production/clamav/HackTool_HTML_EWSRT_2.ldb -------------------------------------------------------------------------------- /rules/EWSRT/production/clamav/HackTool_PS1_EWSRT_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EWSRT/production/clamav/HackTool_PS1_EWSRT_1.ldb -------------------------------------------------------------------------------- /rules/EWSRT/production/clamav/HackTool_PS1_EWSRT_2.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EWSRT/production/clamav/HackTool_PS1_EWSRT_2.ldb -------------------------------------------------------------------------------- /rules/EXCAVATOR/production/hxioc/EXCAVATOR (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EXCAVATOR/production/hxioc/EXCAVATOR (UTILITY).ioc -------------------------------------------------------------------------------- /rules/EXCAVATOR/production/hxioc/Excavator Memory Dump (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EXCAVATOR/production/hxioc/Excavator Memory Dump (Utility).ioc -------------------------------------------------------------------------------- /rules/EXCAVATOR/production/yara/APT_HackTool_Win64_EXCAVATOR_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EXCAVATOR/production/yara/APT_HackTool_Win64_EXCAVATOR_1.yar -------------------------------------------------------------------------------- /rules/EXCAVATOR/production/yara/APT_HackTool_Win64_EXCAVATOR_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EXCAVATOR/production/yara/APT_HackTool_Win64_EXCAVATOR_2.yar -------------------------------------------------------------------------------- /rules/EXCAVATOR/production/yara/CredTheft_Win_EXCAVATOR_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EXCAVATOR/production/yara/CredTheft_Win_EXCAVATOR_1.yar -------------------------------------------------------------------------------- /rules/EXCAVATOR/production/yara/CredTheft_Win_EXCAVATOR_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EXCAVATOR/production/yara/CredTheft_Win_EXCAVATOR_2.yar -------------------------------------------------------------------------------- /rules/EXCAVATOR/supplemental/yara/Trojan_Win64_Generic_22.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EXCAVATOR/supplemental/yara/Trojan_Win64_Generic_22.yar -------------------------------------------------------------------------------- /rules/EXCAVATOR/supplemental/yara/Trojan_Win64_Generic_23.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/EXCAVATOR/supplemental/yara/Trojan_Win64_Generic_23.yar -------------------------------------------------------------------------------- /rules/FLUFFY/production/snort/HackTool.TCP.Rubeus.[User32LogonProcesss].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/FLUFFY/production/snort/HackTool.TCP.Rubeus.[User32LogonProcesss].rules -------------------------------------------------------------------------------- /rules/FLUFFY/production/snort/HackTool.TCP.Rubeus.[nonce 2].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/FLUFFY/production/snort/HackTool.TCP.Rubeus.[nonce 2].rules -------------------------------------------------------------------------------- /rules/FLUFFY/production/snort/HackTool.TCP.Rubeus.[nonce].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/FLUFFY/production/snort/HackTool.TCP.Rubeus.[nonce].rules -------------------------------------------------------------------------------- /rules/FLUFFY/production/snort/HackTool.UDP.Rubeus.[nonce 2].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/FLUFFY/production/snort/HackTool.UDP.Rubeus.[nonce 2].rules -------------------------------------------------------------------------------- /rules/FLUFFY/production/snort/HackTool.UDP.Rubeus.[nonce].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/FLUFFY/production/snort/HackTool.UDP.Rubeus.[nonce].rules -------------------------------------------------------------------------------- /rules/FLUFFY/production/yara/APT_HackTool_MSIL_FLUFFY_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/FLUFFY/production/yara/APT_HackTool_MSIL_FLUFFY_1.yar -------------------------------------------------------------------------------- /rules/FLUFFY/production/yara/APT_HackTool_MSIL_FLUFFY_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/FLUFFY/production/yara/APT_HackTool_MSIL_FLUFFY_2.yar -------------------------------------------------------------------------------- /rules/G2JS/production/hxioc/GADGETTOJSCRIPT PAYLOAD (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/G2JS/production/hxioc/GADGETTOJSCRIPT PAYLOAD (UTILITY).ioc -------------------------------------------------------------------------------- /rules/G2JS/production/hxioc/SUSPICIOUS EXECUTION OF COLORCPL.EXE (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/G2JS/production/hxioc/SUSPICIOUS EXECUTION OF COLORCPL.EXE (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/G2JS/production/hxioc/Suspicious Process Tree (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/G2JS/production/hxioc/Suspicious Process Tree (Methodology).ioc -------------------------------------------------------------------------------- /rules/G2JS/production/yara/Builder_MSIL_G2JS_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/G2JS/production/yara/Builder_MSIL_G2JS_1.yar -------------------------------------------------------------------------------- /rules/G2JS/production/yara/Hunting_B64Engine_DotNetToJScript_Dos.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/G2JS/production/yara/Hunting_B64Engine_DotNetToJScript_Dos.yar -------------------------------------------------------------------------------- /rules/G2JS/production/yara/Hunting_DotNetToJScript_Functions.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/G2JS/production/yara/Hunting_DotNetToJScript_Functions.yar -------------------------------------------------------------------------------- /rules/G2JS/production/yara/Hunting_GadgetToJScript_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/G2JS/production/yara/Hunting_GadgetToJScript_1.yar -------------------------------------------------------------------------------- /rules/G2JS/supplemental/clamav/Trojan_Script_Generic_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/G2JS/supplemental/clamav/Trojan_Script_Generic_1.ldb -------------------------------------------------------------------------------- /rules/G2JS/supplemental/clamav/Trojan_Script_Generic_2.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/G2JS/supplemental/clamav/Trojan_Script_Generic_2.ldb -------------------------------------------------------------------------------- /rules/G2JS/supplemental/clamav/Trojan_Script_Generic_3.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/G2JS/supplemental/clamav/Trojan_Script_Generic_3.ldb -------------------------------------------------------------------------------- /rules/GETDOMAINPASSWORDPOLICY/production/yara/HackTool_MSIL_GETDOMAINPASSWORDPOLICY_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/GETDOMAINPASSWORDPOLICY/production/yara/HackTool_MSIL_GETDOMAINPASSWORDPOLICY_1.yar -------------------------------------------------------------------------------- /rules/GPOHUNT/production/yara/APT_HackTool_MSIL_GPOHUNT_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/GPOHUNT/production/yara/APT_HackTool_MSIL_GPOHUNT_1.yar -------------------------------------------------------------------------------- /rules/IMPACKETOBF (Smbexec)/production/snort/Methodology.SMB.Impacket-Obfuscation.[Service Names].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/IMPACKETOBF (Smbexec)/production/snort/Methodology.SMB.Impacket-Obfuscation.[Service Names].rules -------------------------------------------------------------------------------- /rules/IMPACKETOBF (Smbexec)/production/yara/HackTool_PY_ImpacketObfuscation_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/IMPACKETOBF (Smbexec)/production/yara/HackTool_PY_ImpacketObfuscation_1.yar -------------------------------------------------------------------------------- /rules/IMPACKETOBF (Wmiexec)/production/yara/HackTool_PY_ImpacketObfuscation_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/IMPACKETOBF (Wmiexec)/production/yara/HackTool_PY_ImpacketObfuscation_2.yar -------------------------------------------------------------------------------- /rules/IMPACKETOBF/production/clamav/APT_HackTool_PY_ImpacketObfuscation_2.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/IMPACKETOBF/production/clamav/APT_HackTool_PY_ImpacketObfuscation_2.ldb -------------------------------------------------------------------------------- /rules/IMPACKETOBF/production/clamav/HackTool_PY_ImpacketObfuscation_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/IMPACKETOBF/production/clamav/HackTool_PY_ImpacketObfuscation_1.ldb -------------------------------------------------------------------------------- /rules/IMPACKETOBF/production/hxioc/IMPACKET-OBFUSCATION SMBEXEC (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/IMPACKETOBF/production/hxioc/IMPACKET-OBFUSCATION SMBEXEC (UTILITY).ioc -------------------------------------------------------------------------------- /rules/IMPACKETOBF/production/hxioc/IMPACKET-OBFUSCATION WMIEXEC (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/IMPACKETOBF/production/hxioc/IMPACKET-OBFUSCATION WMIEXEC (UTILITY).ioc -------------------------------------------------------------------------------- /rules/IMPACKETOBF/production/hxioc/Obfuscacted Impacket wmiexec (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/IMPACKETOBF/production/hxioc/Obfuscacted Impacket wmiexec (Utility).ioc -------------------------------------------------------------------------------- /rules/IMPACKETOBF/production/hxioc/Obfuscated Impacket smbexec (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/IMPACKETOBF/production/hxioc/Obfuscated Impacket smbexec (Utility).ioc -------------------------------------------------------------------------------- /rules/INVEIGHZERO/production/yara/HackTool_MSIL_INVEIGHZERO_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/INVEIGHZERO/production/yara/HackTool_MSIL_INVEIGHZERO_1.yar -------------------------------------------------------------------------------- /rules/JUSTASK/production/yara/APT_HackTool_MSIL_JUSTASK_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/JUSTASK/production/yara/APT_HackTool_MSIL_JUSTASK_1.yar -------------------------------------------------------------------------------- /rules/KEEFARCE/production/yara/HackTool_MSIL_KeeFarce_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/KEEFARCE/production/yara/HackTool_MSIL_KeeFarce_1.yar -------------------------------------------------------------------------------- /rules/KEEPERSIST/production/yara/HackTool_MSIL_KeePersist_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/KEEPERSIST/production/yara/HackTool_MSIL_KeePersist_1.yar -------------------------------------------------------------------------------- /rules/LNKSMASHER/production/clamav/APT_Builder_PY_LNKSMASHER_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/LNKSMASHER/production/clamav/APT_Builder_PY_LNKSMASHER_1.ldb -------------------------------------------------------------------------------- /rules/LNKSMASHER/production/clamav/APT_Trojan_LNK_LNKSMASHER_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/LNKSMASHER/production/clamav/APT_Trojan_LNK_LNKSMASHER_1.ldb -------------------------------------------------------------------------------- /rules/LNKSMASHER/production/clamav/APT_Trojan_LNK_LNKSMASHER_2.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/LNKSMASHER/production/clamav/APT_Trojan_LNK_LNKSMASHER_2.ldb -------------------------------------------------------------------------------- /rules/LNKSMASHER/production/hxioc/LNKSMASHER COMMANDS.ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/LNKSMASHER/production/hxioc/LNKSMASHER COMMANDS.ioc -------------------------------------------------------------------------------- /rules/LNKSMASHER/production/yara/Dropper_LNK_LNKSmasher_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/LNKSMASHER/production/yara/Dropper_LNK_LNKSmasher_1.yar -------------------------------------------------------------------------------- /rules/LNKSMASHER/supplemental/hxioc/LNK SMASHER (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/LNKSMASHER/supplemental/hxioc/LNK SMASHER (UTILITY).ioc -------------------------------------------------------------------------------- /rules/LNKSMASHER/supplemental/yara/Hunting_LNK_Win_GenericLauncher.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/LNKSMASHER/supplemental/yara/Hunting_LNK_Win_GenericLauncher.yar -------------------------------------------------------------------------------- /rules/LUALOADER/production/yara/APT_HackTool_MSIL_LUALOADER_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/LUALOADER/production/yara/APT_HackTool_MSIL_LUALOADER_1.yar -------------------------------------------------------------------------------- /rules/LUALOADER/production/yara/APT_Loader_MSIL_LUALOADER_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/LUALOADER/production/yara/APT_Loader_MSIL_LUALOADER_1.yar -------------------------------------------------------------------------------- /rules/LUALOADER/production/yara/APT_Loader_MSIL_LUALOADER_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/LUALOADER/production/yara/APT_Loader_MSIL_LUALOADER_2.yar -------------------------------------------------------------------------------- /rules/MATRYOSHKA/production/clamav/APT_Builder_PY_MATRYOSHKA_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/MATRYOSHKA/production/clamav/APT_Builder_PY_MATRYOSHKA_1.ldb -------------------------------------------------------------------------------- /rules/MATRYOSHKA/production/yara/APT_Builder_PY_MATRYOSHKA_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/MATRYOSHKA/production/yara/APT_Builder_PY_MATRYOSHKA_1.yar -------------------------------------------------------------------------------- /rules/MATRYOSHKA/production/yara/APT_Builder_Win64_MATRYOSHKA_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/MATRYOSHKA/production/yara/APT_Builder_Win64_MATRYOSHKA_1.yar -------------------------------------------------------------------------------- /rules/MATRYOSHKA/production/yara/APT_Dropper_Win64_MATRYOSHKA_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/MATRYOSHKA/production/yara/APT_Dropper_Win64_MATRYOSHKA_1.yar -------------------------------------------------------------------------------- /rules/MATRYOSHKA/production/yara/APT_Dropper_Win_MATRYOSHKA_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/MATRYOSHKA/production/yara/APT_Dropper_Win_MATRYOSHKA_1.yar -------------------------------------------------------------------------------- /rules/MATRYOSHKA/production/yara/APT_Loader_Win64_MATRYOSHKA_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/MATRYOSHKA/production/yara/APT_Loader_Win64_MATRYOSHKA_1.yar -------------------------------------------------------------------------------- /rules/MATRYOSHKA/production/yara/APT_Loader_Win64_MATRYOSHKA_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/MATRYOSHKA/production/yara/APT_Loader_Win64_MATRYOSHKA_2.yar -------------------------------------------------------------------------------- /rules/MATRYOSHKA/production/yara/APT_Loader_Win_MATRYOSHKA_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/MATRYOSHKA/production/yara/APT_Loader_Win_MATRYOSHKA_1.yar -------------------------------------------------------------------------------- /rules/MEMCOMP/production/yara/Loader_MSIL_InMemoryCompilation_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/MEMCOMP/production/yara/Loader_MSIL_InMemoryCompilation_1.yar -------------------------------------------------------------------------------- /rules/MOFCOMP/production/hxioc/Suspicious MOF File.ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/MOFCOMP/production/hxioc/Suspicious MOF File.ioc -------------------------------------------------------------------------------- /rules/MSBUILDME/supplemental/hxioc/USERINIT PROCESS LAUNCH BY MSBUILD.EXE (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/MSBUILDME/supplemental/hxioc/USERINIT PROCESS LAUNCH BY MSBUILD.EXE (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/NETASSEMBLYINJECT/production/yara/Loader_MSIL_NETAssemblyInject_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/NETASSEMBLYINJECT/production/yara/Loader_MSIL_NETAssemblyInject_1.yar -------------------------------------------------------------------------------- /rules/NETSHSHELLCODERUNNER/production/yara/Loader_MSIL_NetshShellCodeRunner_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/NETSHSHELLCODERUNNER/production/yara/Loader_MSIL_NetshShellCodeRunner_1.yar -------------------------------------------------------------------------------- /rules/NOAMCI/production/yara/APT_HackTool_MSIL_NOAMCI_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/NOAMCI/production/yara/APT_HackTool_MSIL_NOAMCI_1.yar -------------------------------------------------------------------------------- /rules/PGF/production/clamav/APT_Builder_PY_PGF_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/clamav/APT_Builder_PY_PGF_1.ldb -------------------------------------------------------------------------------- /rules/PGF/production/clamav/APT_Loader_CSPROJ_PGF_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/clamav/APT_Loader_CSPROJ_PGF_1.ldb -------------------------------------------------------------------------------- /rules/PGF/production/clamav/APT_Loader_TT_PGF_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/clamav/APT_Loader_TT_PGF_1.ldb -------------------------------------------------------------------------------- /rules/PGF/production/clamav/APT_Loader_XOML_PGF_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/clamav/APT_Loader_XOML_PGF_1.ldb -------------------------------------------------------------------------------- /rules/PGF/production/hxioc/INSTALLUTIL APP WHITELISTING BYPASS (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/hxioc/INSTALLUTIL APP WHITELISTING BYPASS (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/production/hxioc/PayloadGenerationFramework FileWrites (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/hxioc/PayloadGenerationFramework FileWrites (Utility).ioc -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_MSIL_PGF_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_MSIL_PGF_1.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_MSIL_PGF_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_MSIL_PGF_2.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win32_PGF_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win32_PGF_1.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win32_PGF_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win32_PGF_2.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win32_PGF_3.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win32_PGF_3.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win32_PGF_4.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win32_PGF_4.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win32_PGF_5.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win32_PGF_5.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win64_PGF_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win64_PGF_1.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win64_PGF_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win64_PGF_2.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win64_PGF_3.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win64_PGF_3.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win64_PGF_4.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win64_PGF_4.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win64_PGF_5.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win64_PGF_5.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win_PGF_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win_PGF_1.yar -------------------------------------------------------------------------------- /rules/PGF/production/yara/APT_Loader_Win_PGF_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/production/yara/APT_Loader_Win_PGF_2.yar -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/CONTROL PANEL ITEMS (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/CONTROL PANEL ITEMS (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/DISM EXECUTION IN SUSPICIOUS LOCATION (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/DISM EXECUTION IN SUSPICIOUS LOCATION (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/DISM NETWORK ACTIVITY (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/DISM NETWORK ACTIVITY (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/INSTALLUTIL CHILD PROCESS (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/INSTALLUTIL CHILD PROCESS (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/LOLBIN EXECUTION (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/LOLBIN EXECUTION (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/NETSH EXECUTION (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/NETSH EXECUTION (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/POSSIBLE SRPROXY SIDE-LOADING (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/POSSIBLE SRPROXY SIDE-LOADING (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/PackageIdentification.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/PackageIdentification.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/PotPlayer.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/PotPlayer.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/REGASM PARENT PROCESS (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/REGASM PARENT PROCESS (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/RUNDLL32 EXECUTION (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/RUNDLL32 EXECUTION (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/SUSPICIOUS DLL LOAD (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/SUSPICIOUS DLL LOAD (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/SUSPICIOUS EXECUTION OF SEARCHPROTOCOLHOST (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/SUSPICIOUS EXECUTION OF SEARCHPROTOCOLHOST (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/TEXTTRANSFORM PARENT PROCESS (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/TEXTTRANSFORM PARENT PROCESS (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/Wdscore.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/Wdscore.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/api-ms-win-downlevel-shell32-l1-1-0.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/api-ms-win-downlevel-shell32-l1-1-0.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/ashldres.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/ashldres.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/ccl110u.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/ccl110u.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/cclib.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/cclib.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/chrome_frame_helper.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/chrome_frame_helper.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/crshhndl.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/crshhndl.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/dismcore.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/dismcore.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/dwmapi.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/dwmapi.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/elogger.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/elogger.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/fmtoptions.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/fmtoptions.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/goopdate.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/goopdate.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/hpcustpartui.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/hpcustpartui.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/mcutil.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/mcutil.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/mscorsvc.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/mscorsvc.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/msi.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/msi.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/nflogger.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/nflogger.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/pc2msupp.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/pc2msupp.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/pt1.aym Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/pt1.aym Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/sidebar.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/sidebar.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/splash_screen.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/splash_screen.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/tmas_wlmhook.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/tmas_wlmhook.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/ui.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/ui.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PGF/supplemental/hxioc/ushata.dll Hijack (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PGF/supplemental/hxioc/ushata.dll Hijack (Methodology).ioc -------------------------------------------------------------------------------- /rules/PREPSHELLCODE/production/yara/HackTool_MSIL_PrepShellcode_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PREPSHELLCODE/production/yara/HackTool_MSIL_PrepShellcode_1.yar -------------------------------------------------------------------------------- /rules/PUPPYHOUND/production/yara/HackTool_MSIL_PuppyHound_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PUPPYHOUND/production/yara/HackTool_MSIL_PuppyHound_1.yar -------------------------------------------------------------------------------- /rules/PUPPYHOUND/production/yara/HackTool_MSIL_SharpHound_3.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PUPPYHOUND/production/yara/HackTool_MSIL_SharpHound_3.yar -------------------------------------------------------------------------------- /rules/PXELOOT/production/hxioc/PAX dism WIM mount (utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PXELOOT/production/hxioc/PAX dism WIM mount (utility).ioc -------------------------------------------------------------------------------- /rules/PXELOOT/production/hxioc/PXELOOT (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PXELOOT/production/hxioc/PXELOOT (UTILITY).ioc -------------------------------------------------------------------------------- /rules/PXELOOT/production/yara/HackTool_MSIL_PXELOOT_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PXELOOT/production/yara/HackTool_MSIL_PXELOOT_1.yar -------------------------------------------------------------------------------- /rules/PXELOOT/production/yara/HackTool_MSIL_PXELOOT_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/PXELOOT/production/yara/HackTool_MSIL_PXELOOT_2.yar -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[Build ID].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[Build ID].rules -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[HTTP Response].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[HTTP Response].rules -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[POST Content].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[POST Content].rules -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[POST].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[POST].rules -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[SID1].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[SID1].rules -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[SSL Cert].rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/snort/Backdoor.HTTP.GORAT.[SSL Cert].rules -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_MacOS_GORAT_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_MacOS_GORAT_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_2.yar -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_3.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_3.yar -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_4.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_4.yar -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_5.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_5.yar -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GoRat_Memory.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GoRat_Memory.yar -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/yara/Trojan_MSIL_GORAT_Module_PowerShell_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/yara/Trojan_MSIL_GORAT_Module_PowerShell_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE (Gorat)/production/yara/Trojan_MSIL_GORAT_Plugin_DOTNET_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE (Gorat)/production/yara/Trojan_MSIL_GORAT_Plugin_DOTNET_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Builder_PY_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Builder_PY_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Builder_PY_REDFLARE_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Builder_PY_REDFLARE_2.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Controller_Linux_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Controller_Linux_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Downloader_Win32_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Downloader_Win32_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Downloader_Win64_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Downloader_Win64_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Keylogger_Win32_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Keylogger_Win32_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Keylogger_Win64_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Keylogger_Win64_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Loader_Raw32_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Loader_Raw32_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Loader_Raw64_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Loader_Raw64_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Loader_Win32_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Loader_Win32_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Loader_Win32_REDFLARE_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Loader_Win32_REDFLARE_2.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Loader_Win64_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Loader_Win64_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Loader_Win64_REDFLARE_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Loader_Win64_REDFLARE_2.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_2.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_3.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_3.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_4.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_4.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_5.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_5.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_7.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_7.yar -------------------------------------------------------------------------------- /rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_8.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_8.yar -------------------------------------------------------------------------------- /rules/REDFLARE/supplemental/yara/APT_Trojan_Linux_REDFLARE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/supplemental/yara/APT_Trojan_Linux_REDFLARE_1.yar -------------------------------------------------------------------------------- /rules/REDFLARE/supplemental/yara/APT_Trojan_Win_REDFLARE_6.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REDFLARE/supplemental/yara/APT_Trojan_Win_REDFLARE_6.yar -------------------------------------------------------------------------------- /rules/RESUMEPLEASE/production/clamav/Trojan_Macro_RESUMEPLEASE_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/RESUMEPLEASE/production/clamav/Trojan_Macro_RESUMEPLEASE_1.ldb -------------------------------------------------------------------------------- /rules/RESUMEPLEASE/production/yara/Trojan_Macro_RESUMEPLEASE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/RESUMEPLEASE/production/yara/Trojan_Macro_RESUMEPLEASE_1.yar -------------------------------------------------------------------------------- /rules/REVOLVER/production/yara/APT_HackTool_MSIL_REVOLVER_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REVOLVER/production/yara/APT_HackTool_MSIL_REVOLVER_1.yar -------------------------------------------------------------------------------- /rules/REVOLVER/production/yara/APT_Loader_MSIL_REVOLVER_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/REVOLVER/production/yara/APT_Loader_MSIL_REVOLVER_1.yar -------------------------------------------------------------------------------- /rules/RUBEUS/production/yara/HackTool_MSIL_Rubeus_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/RUBEUS/production/yara/HackTool_MSIL_Rubeus_1.yar -------------------------------------------------------------------------------- /rules/SAFETYKATZ/production/hxioc/SAFETYKATZ (CREDENTIAL STEALER).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SAFETYKATZ/production/hxioc/SAFETYKATZ (CREDENTIAL STEALER).ioc -------------------------------------------------------------------------------- /rules/SAFETYKATZ/production/hxioc/SafetyKatz A (Credential Stealer).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SAFETYKATZ/production/hxioc/SafetyKatz A (Credential Stealer).ioc -------------------------------------------------------------------------------- /rules/SAFETYKATZ/production/yara/HackTool_MSIL_SAFETYKATZ_4.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SAFETYKATZ/production/yara/HackTool_MSIL_SAFETYKATZ_4.yar -------------------------------------------------------------------------------- /rules/SHARPERSIST/production/hxioc/SHARPERSIST (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPERSIST/production/hxioc/SHARPERSIST (UTILITY).ioc -------------------------------------------------------------------------------- /rules/SHARPERSIST/production/hxioc/SHARPERSIST A (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPERSIST/production/hxioc/SHARPERSIST A (UTILITY).ioc -------------------------------------------------------------------------------- /rules/SHARPERSIST/production/hxioc/Service Failure Abuse (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPERSIST/production/hxioc/Service Failure Abuse (Methodology).ioc -------------------------------------------------------------------------------- /rules/SHARPERSIST/production/hxioc/SharPersist B (utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPERSIST/production/hxioc/SharPersist B (utility).ioc -------------------------------------------------------------------------------- /rules/SHARPERSIST/production/yara/HackTool_MSIL_SharPersist_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPERSIST/production/yara/HackTool_MSIL_SharPersist_1.yar -------------------------------------------------------------------------------- /rules/SHARPERSIST/production/yara/HackTool_MSIL_SharPersist_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPERSIST/production/yara/HackTool_MSIL_SharPersist_2.yar -------------------------------------------------------------------------------- /rules/SHARPERSIST/supplemental/hxioc/COM CLSID registry activity (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPERSIST/supplemental/hxioc/COM CLSID registry activity (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/SHARPERSIST/supplemental/hxioc/HOTKEY PERSISTENCE (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPERSIST/supplemental/hxioc/HOTKEY PERSISTENCE (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/SHARPGENERATOR/production/yara/Builder_MSIL_SharpGenerator_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPGENERATOR/production/yara/Builder_MSIL_SharpGenerator_1.yar -------------------------------------------------------------------------------- /rules/SHARPIVOT/production/hxioc/Possible Handler Poisoning (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPIVOT/production/hxioc/Possible Handler Poisoning (Methodology).ioc -------------------------------------------------------------------------------- /rules/SHARPIVOT/production/hxioc/SHARPIVOT (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPIVOT/production/hxioc/SHARPIVOT (UTILITY).ioc -------------------------------------------------------------------------------- /rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_1.yar -------------------------------------------------------------------------------- /rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_2.yar -------------------------------------------------------------------------------- /rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_3.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_3.yar -------------------------------------------------------------------------------- /rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_4.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_4.yar -------------------------------------------------------------------------------- /rules/SHARPPGREP/production/yara/Tool_MSIL_SharpGrep_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPPGREP/production/yara/Tool_MSIL_SharpGrep_1.yar -------------------------------------------------------------------------------- /rules/SHARPSACK/production/yara/APT_HackTool_MSIL_SHARPSACK_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPSACK/production/yara/APT_HackTool_MSIL_SHARPSACK_1.yar -------------------------------------------------------------------------------- /rules/SHARPSCHTASK/production/yara/HackTool_MSIL_SharpSchtask_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPSCHTASK/production/yara/HackTool_MSIL_SharpSchtask_1.yar -------------------------------------------------------------------------------- /rules/SHARPSECTIONINJECTION/production/yara/Loader_MSIL_CSharpSectionInjection_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPSECTIONINJECTION/production/yara/Loader_MSIL_CSharpSectionInjection_1.yar -------------------------------------------------------------------------------- /rules/SHARPSTOMP/production/hxioc/SHARPSTOMP (UTILITY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPSTOMP/production/hxioc/SHARPSTOMP (UTILITY).ioc -------------------------------------------------------------------------------- /rules/SHARPSTOMP/production/yara/APT_HackTool_MSIL_SHARPSTOMP_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPSTOMP/production/yara/APT_HackTool_MSIL_SHARPSTOMP_1.yar -------------------------------------------------------------------------------- /rules/SHARPSTOMP/production/yara/APT_HackTool_MSIL_SHARPSTOMP_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPSTOMP/production/yara/APT_HackTool_MSIL_SHARPSTOMP_2.yar -------------------------------------------------------------------------------- /rules/SHARPSTOMP/production/yara/HackTool_MSIL_SharpStomp_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPSTOMP/production/yara/HackTool_MSIL_SharpStomp_1.yar -------------------------------------------------------------------------------- /rules/SHARPUTILS/production/yara/Tool_MSIL_CSharpUtils_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPUTILS/production/yara/Tool_MSIL_CSharpUtils_1.yar -------------------------------------------------------------------------------- /rules/SHARPY/production/yara/Loader_MSIL_SharPy_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPY/production/yara/Loader_MSIL_SharPy_1.yar -------------------------------------------------------------------------------- /rules/SHARPZEROLOGON/production/yara/HackTool_MSIL_SHARPZEROLOGON_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SHARPZEROLOGON/production/yara/HackTool_MSIL_SHARPZEROLOGON_1.yar -------------------------------------------------------------------------------- /rules/SINFULOFFICE/production/yara/Builder_MSIL_SinfulOffice_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SINFULOFFICE/production/yara/Builder_MSIL_SinfulOffice_1.yar -------------------------------------------------------------------------------- /rules/SINFULOFFICE/supplemental/yara/Methodology_OLE_CHARENCODING_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/SINFULOFFICE/supplemental/yara/Methodology_OLE_CHARENCODING_2.yar -------------------------------------------------------------------------------- /rules/TITOSPECIAL/production/hxioc/TitoSpecial Memory Dump (Credential Stealer).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TITOSPECIAL/production/hxioc/TitoSpecial Memory Dump (Credential Stealer).ioc -------------------------------------------------------------------------------- /rules/TITOSPECIAL/production/yara/APT_HackTool_MSIL_TITOSPECIAL_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TITOSPECIAL/production/yara/APT_HackTool_MSIL_TITOSPECIAL_1.yar -------------------------------------------------------------------------------- /rules/TITOSPECIAL/production/yara/CredTheft_MSIL_TitoSpecial_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TITOSPECIAL/production/yara/CredTheft_MSIL_TitoSpecial_1.yar -------------------------------------------------------------------------------- /rules/TITOSPECIAL/production/yara/CredTheft_MSIL_TitoSpecial_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TITOSPECIAL/production/yara/CredTheft_MSIL_TitoSpecial_2.yar -------------------------------------------------------------------------------- /rules/TITOSPECIAL/production/yara/HackTool_Win32_AndrewSpecial_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TITOSPECIAL/production/yara/HackTool_Win32_AndrewSpecial_1.yar -------------------------------------------------------------------------------- /rules/TITOSPECIAL/production/yara/HackTool_Win64_AndrewSpecial_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TITOSPECIAL/production/yara/HackTool_Win64_AndrewSpecial_1.yar -------------------------------------------------------------------------------- /rules/TRIMBISHOP/new/yara/Loader_MSIL_RURALBISHOP_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TRIMBISHOP/new/yara/Loader_MSIL_RURALBISHOP_1.yar -------------------------------------------------------------------------------- /rules/TRIMBISHOP/new/yara/Loader_MSIL_RURALBISHOP_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TRIMBISHOP/new/yara/Loader_MSIL_RURALBISHOP_2.yar -------------------------------------------------------------------------------- /rules/TRIMBISHOP/production/yara/APT_Loader_MSIL_TRIMBISHOP_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TRIMBISHOP/production/yara/APT_Loader_MSIL_TRIMBISHOP_1.yar -------------------------------------------------------------------------------- /rules/TRIMBISHOP/production/yara/APT_Loader_MSIL_TRIMBISHOP_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TRIMBISHOP/production/yara/APT_Loader_MSIL_TRIMBISHOP_2.yar -------------------------------------------------------------------------------- /rules/TRIMBISHOP/production/yara/Loader_MSIL_RuralBishop_3.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TRIMBISHOP/production/yara/Loader_MSIL_RuralBishop_3.yar -------------------------------------------------------------------------------- /rules/TRIMBISHOP/production/yara/Loader_MSIL_TrimBishop_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/TRIMBISHOP/production/yara/Loader_MSIL_TrimBishop_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/hxioc/DISM.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/hxioc/DISM.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/hxioc/SEARCHPROTOCOLHOST.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/hxioc/SEARCHPROTOCOLHOST.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/hxioc/WERFAULT.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/hxioc/WERFAULT.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_DNSOVERHTTPS_C2_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_DNSOVERHTTPS_C2_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_MODIFIEDSHARPVIEW_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_MODIFIEDSHARPVIEW_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_PRAT_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_PRAT_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_REDTEAMMATERIALS_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_REDTEAMMATERIALS_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPDACL_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPDACL_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPDNS_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPDNS_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPGOPHER_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPGOPHER_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPNATIVEZIPPER_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPNATIVEZIPPER_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPNFS_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPNFS_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPPATCHCHECK_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPPATCHCHECK_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPSQLCLIENT_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPSQLCLIENT_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPTEMPLATE_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPTEMPLATE_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPWEBCRAWLER_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPWEBCRAWLER_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPZIPLIBZIPPER_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPZIPLIBZIPPER_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/CredTheft_MSIL_CredSnatcher_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/CredTheft_MSIL_CredSnatcher_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/production/yara/CredTheft_MSIL_WCMDump_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/production/yara/CredTheft_MSIL_WCMDump_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/supplemental/clamav/Dropper_HTA_Generic_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/supplemental/clamav/Dropper_HTA_Generic_1.ldb -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/supplemental/clamav/Trojan_HTA_Generic_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/supplemental/clamav/Trojan_HTA_Generic_1.ldb -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/supplemental/clamav/Trojan_PS1_Generic_4.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/supplemental/clamav/Trojan_PS1_Generic_4.ldb -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/supplemental/clamav/Trojan_PY_Generic_1.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/supplemental/clamav/Trojan_PY_Generic_1.ldb -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/supplemental/clamav/Trojan_VBS_Generic_4.ldb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/supplemental/clamav/Trojan_VBS_Generic_4.ldb -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/supplemental/yara/Loader_MSIL_Generic_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/supplemental/yara/Loader_MSIL_Generic_1.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/supplemental/yara/Loader_Win_Generic_19.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/supplemental/yara/Loader_Win_Generic_19.yar -------------------------------------------------------------------------------- /rules/UNCATEGORIZED/supplemental/yara/Loader_Win_Generic_20.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/UNCATEGORIZED/supplemental/yara/Loader_Win_Generic_20.yar -------------------------------------------------------------------------------- /rules/WEAPONIZE/supplemental/hxioc/SUSPICIOUS EXECUTION OF TSTHEME.EXE (METHODOLOGY).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/WEAPONIZE/supplemental/hxioc/SUSPICIOUS EXECUTION OF TSTHEME.EXE (METHODOLOGY).ioc -------------------------------------------------------------------------------- /rules/WILDCHILD/production/hxioc/WildChild Filewrite (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/WILDCHILD/production/hxioc/WildChild Filewrite (Utility).ioc -------------------------------------------------------------------------------- /rules/WILDCHILD/production/yara/APT_Loader_MSIL_WILDCHILD_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/WILDCHILD/production/yara/APT_Loader_MSIL_WILDCHILD_1.yar -------------------------------------------------------------------------------- /rules/WILDCHILD/production/yara/Dropper_HTA_WildChild_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/WILDCHILD/production/yara/Dropper_HTA_WildChild_1.yar -------------------------------------------------------------------------------- /rules/WILDCHILD/production/yara/Loader_MSIL_WildChild_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/WILDCHILD/production/yara/Loader_MSIL_WildChild_1.yar -------------------------------------------------------------------------------- /rules/WMIRUNNER/production/yara/Loader_MSIL_WMIRunner_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/WMIRUNNER/production/yara/Loader_MSIL_WMIRunner_1.yar -------------------------------------------------------------------------------- /rules/WMISHARP/production/yara/HackTool_MSIL_WMISharp_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/WMISHARP/production/yara/HackTool_MSIL_WMISharp_1.yar -------------------------------------------------------------------------------- /rules/WMISPY/production/yara/APT_HackTool_MSIL_WMISPY_2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/WMISPY/production/yara/APT_HackTool_MSIL_WMISPY_2.yar -------------------------------------------------------------------------------- /rules/WMISPY/production/yara/HackTool_MSIL_WMIspy_1.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/rules/WMISPY/production/yara/HackTool_MSIL_WMIspy_1.yar -------------------------------------------------------------------------------- /signatures_table_of_content.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/red_team_tool_countermeasures/HEAD/signatures_table_of_content.csv --------------------------------------------------------------------------------