├── .github └── workflows │ ├── OtherProjects.yaml │ ├── Webshell.yaml │ ├── YaraFile.yaml │ ├── YaraProcess.yaml │ └── ZipVQL.yaml ├── .gitignore ├── README.md ├── csv ├── Eventlogs.csv ├── ExeOriginalName.csv ├── InstalledSoftware.csv ├── MFT.csv ├── NamedPipes.csv ├── WebBrowsers.csv ├── bootloaders.csv ├── drivers_malicious.csv ├── drivers_vulnerable.csv ├── hijacklibs.csv └── lolrmm.csv ├── scripts ├── amcache.py ├── applications.py ├── base_functions.py ├── base_functions_yara.py ├── binaryrename.py ├── bootloaders.py ├── diff_csv.py ├── evtx.py ├── get_file_yara.py ├── get_memory_yara.py ├── get_webshell_yara.py ├── hijacklibs.py ├── iseautosave.py ├── loldrivers.py ├── loldrivers_yara.py ├── lolrmm.py ├── mft.py ├── namedpipes.py ├── psreadline.py ├── starthunts.py ├── webhistory.py ├── yaraprocess.py ├── yarawebshell.py └── zoneidentifier.py ├── templates ├── Amcache.template ├── Applications.template ├── BinaryRename.template ├── Bootloaders.template ├── Evtx.template ├── Hijacklibs.template ├── ISEAutoSave.template ├── LolDrivers.template ├── MFT.template ├── NamedPipes.template ├── PSReadline.template ├── StartHunts.template ├── Webhistory.template ├── YaraLolDrivers.template ├── YaraProcessLinux.template ├── YaraProcessMacos.template ├── YaraProcessWin.template ├── YaraWebshell.template └── ZoneIdentifier.template ├── vql ├── Amcache.yaml ├── Applications.yaml ├── BinaryRename.yaml ├── Bootloaders.yaml ├── Evtx.yaml ├── HijackLibsEnv.yaml ├── HijackLibsMFT.yaml ├── ISEAutoSave.yaml ├── LolDriversMalicious.yaml ├── LolDriversVulnerable.yaml ├── LolDriversYara.yaml ├── LolRMM.yaml ├── MFT.yaml ├── ManageContent.yaml ├── NamedPipes.yaml ├── NetworkProvider.yaml ├── PSReadline.yaml ├── StartHunts.yaml ├── Webhistory.yaml ├── YaraFile.yaml ├── YaraProcessLinux.yaml ├── YaraProcessMacos.yaml ├── YaraProcessWin.yaml ├── YaraWebshell.yaml └── ZoneIdentifier.yaml └── yara ├── full_linux_file.yar.gz ├── full_linux_process.yar ├── full_macos_file.yar.gz ├── full_macos_process.yar ├── full_windows_file.yar.gz ├── full_windows_process.yar ├── webshells.yar └── yara-rules-full.yar /.github/workflows/OtherProjects.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/.github/workflows/OtherProjects.yaml -------------------------------------------------------------------------------- /.github/workflows/Webshell.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/.github/workflows/Webshell.yaml -------------------------------------------------------------------------------- /.github/workflows/YaraFile.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/.github/workflows/YaraFile.yaml -------------------------------------------------------------------------------- /.github/workflows/YaraProcess.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/.github/workflows/YaraProcess.yaml -------------------------------------------------------------------------------- /.github/workflows/ZipVQL.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/.github/workflows/ZipVQL.yaml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/.gitignore -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/README.md -------------------------------------------------------------------------------- /csv/Eventlogs.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/csv/Eventlogs.csv -------------------------------------------------------------------------------- /csv/ExeOriginalName.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/csv/ExeOriginalName.csv -------------------------------------------------------------------------------- /csv/InstalledSoftware.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/csv/InstalledSoftware.csv -------------------------------------------------------------------------------- /csv/MFT.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/csv/MFT.csv -------------------------------------------------------------------------------- /csv/NamedPipes.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/csv/NamedPipes.csv -------------------------------------------------------------------------------- /csv/WebBrowsers.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/csv/WebBrowsers.csv -------------------------------------------------------------------------------- /csv/bootloaders.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/csv/bootloaders.csv -------------------------------------------------------------------------------- /csv/drivers_malicious.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/csv/drivers_malicious.csv -------------------------------------------------------------------------------- /csv/drivers_vulnerable.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/csv/drivers_vulnerable.csv -------------------------------------------------------------------------------- /csv/hijacklibs.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/csv/hijacklibs.csv -------------------------------------------------------------------------------- /csv/lolrmm.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/csv/lolrmm.csv -------------------------------------------------------------------------------- /scripts/amcache.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/amcache.py -------------------------------------------------------------------------------- /scripts/applications.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/applications.py -------------------------------------------------------------------------------- /scripts/base_functions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/base_functions.py -------------------------------------------------------------------------------- /scripts/base_functions_yara.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/base_functions_yara.py -------------------------------------------------------------------------------- /scripts/binaryrename.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/binaryrename.py -------------------------------------------------------------------------------- /scripts/bootloaders.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/bootloaders.py -------------------------------------------------------------------------------- /scripts/diff_csv.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/diff_csv.py -------------------------------------------------------------------------------- /scripts/evtx.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/evtx.py -------------------------------------------------------------------------------- /scripts/get_file_yara.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/get_file_yara.py -------------------------------------------------------------------------------- /scripts/get_memory_yara.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/get_memory_yara.py -------------------------------------------------------------------------------- /scripts/get_webshell_yara.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/get_webshell_yara.py -------------------------------------------------------------------------------- /scripts/hijacklibs.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/hijacklibs.py -------------------------------------------------------------------------------- /scripts/iseautosave.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/iseautosave.py -------------------------------------------------------------------------------- /scripts/loldrivers.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/loldrivers.py -------------------------------------------------------------------------------- /scripts/loldrivers_yara.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/loldrivers_yara.py -------------------------------------------------------------------------------- /scripts/lolrmm.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/lolrmm.py -------------------------------------------------------------------------------- /scripts/mft.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/mft.py -------------------------------------------------------------------------------- /scripts/namedpipes.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/namedpipes.py -------------------------------------------------------------------------------- /scripts/psreadline.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/psreadline.py -------------------------------------------------------------------------------- /scripts/starthunts.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/starthunts.py -------------------------------------------------------------------------------- /scripts/webhistory.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/webhistory.py -------------------------------------------------------------------------------- /scripts/yaraprocess.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/yaraprocess.py -------------------------------------------------------------------------------- /scripts/yarawebshell.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/yarawebshell.py -------------------------------------------------------------------------------- /scripts/zoneidentifier.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/scripts/zoneidentifier.py -------------------------------------------------------------------------------- /templates/Amcache.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/Amcache.template -------------------------------------------------------------------------------- /templates/Applications.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/Applications.template -------------------------------------------------------------------------------- /templates/BinaryRename.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/BinaryRename.template -------------------------------------------------------------------------------- /templates/Bootloaders.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/Bootloaders.template -------------------------------------------------------------------------------- /templates/Evtx.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/Evtx.template -------------------------------------------------------------------------------- /templates/Hijacklibs.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/Hijacklibs.template -------------------------------------------------------------------------------- /templates/ISEAutoSave.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/ISEAutoSave.template -------------------------------------------------------------------------------- /templates/LolDrivers.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/LolDrivers.template -------------------------------------------------------------------------------- /templates/MFT.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/MFT.template -------------------------------------------------------------------------------- /templates/NamedPipes.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/NamedPipes.template -------------------------------------------------------------------------------- /templates/PSReadline.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/PSReadline.template -------------------------------------------------------------------------------- /templates/StartHunts.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/StartHunts.template -------------------------------------------------------------------------------- /templates/Webhistory.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/Webhistory.template -------------------------------------------------------------------------------- /templates/YaraLolDrivers.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/YaraLolDrivers.template -------------------------------------------------------------------------------- /templates/YaraProcessLinux.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/YaraProcessLinux.template -------------------------------------------------------------------------------- /templates/YaraProcessMacos.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/YaraProcessMacos.template -------------------------------------------------------------------------------- /templates/YaraProcessWin.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/YaraProcessWin.template -------------------------------------------------------------------------------- /templates/YaraWebshell.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/YaraWebshell.template -------------------------------------------------------------------------------- /templates/ZoneIdentifier.template: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/templates/ZoneIdentifier.template -------------------------------------------------------------------------------- /vql/Amcache.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/Amcache.yaml -------------------------------------------------------------------------------- /vql/Applications.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/Applications.yaml -------------------------------------------------------------------------------- /vql/BinaryRename.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/BinaryRename.yaml -------------------------------------------------------------------------------- /vql/Bootloaders.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/Bootloaders.yaml -------------------------------------------------------------------------------- /vql/Evtx.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/Evtx.yaml -------------------------------------------------------------------------------- /vql/HijackLibsEnv.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/HijackLibsEnv.yaml -------------------------------------------------------------------------------- /vql/HijackLibsMFT.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/HijackLibsMFT.yaml -------------------------------------------------------------------------------- /vql/ISEAutoSave.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/ISEAutoSave.yaml -------------------------------------------------------------------------------- /vql/LolDriversMalicious.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/LolDriversMalicious.yaml -------------------------------------------------------------------------------- /vql/LolDriversVulnerable.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/LolDriversVulnerable.yaml -------------------------------------------------------------------------------- /vql/LolDriversYara.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/LolDriversYara.yaml -------------------------------------------------------------------------------- /vql/LolRMM.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/LolRMM.yaml -------------------------------------------------------------------------------- /vql/MFT.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/MFT.yaml -------------------------------------------------------------------------------- /vql/ManageContent.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/ManageContent.yaml -------------------------------------------------------------------------------- /vql/NamedPipes.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/NamedPipes.yaml -------------------------------------------------------------------------------- /vql/NetworkProvider.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/NetworkProvider.yaml -------------------------------------------------------------------------------- /vql/PSReadline.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/PSReadline.yaml -------------------------------------------------------------------------------- /vql/StartHunts.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/StartHunts.yaml -------------------------------------------------------------------------------- /vql/Webhistory.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/Webhistory.yaml -------------------------------------------------------------------------------- /vql/YaraFile.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/YaraFile.yaml -------------------------------------------------------------------------------- /vql/YaraProcessLinux.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/YaraProcessLinux.yaml -------------------------------------------------------------------------------- /vql/YaraProcessMacos.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/YaraProcessMacos.yaml -------------------------------------------------------------------------------- /vql/YaraProcessWin.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/YaraProcessWin.yaml -------------------------------------------------------------------------------- /vql/YaraWebshell.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/YaraWebshell.yaml -------------------------------------------------------------------------------- /vql/ZoneIdentifier.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/vql/ZoneIdentifier.yaml -------------------------------------------------------------------------------- /yara/full_linux_file.yar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/yara/full_linux_file.yar.gz -------------------------------------------------------------------------------- /yara/full_linux_process.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/yara/full_linux_process.yar -------------------------------------------------------------------------------- /yara/full_macos_file.yar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/yara/full_macos_file.yar.gz -------------------------------------------------------------------------------- /yara/full_macos_process.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/yara/full_macos_process.yar -------------------------------------------------------------------------------- /yara/full_windows_file.yar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/yara/full_windows_file.yar.gz -------------------------------------------------------------------------------- /yara/full_windows_process.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/yara/full_windows_process.yar -------------------------------------------------------------------------------- /yara/webshells.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/yara/webshells.yar -------------------------------------------------------------------------------- /yara/yara-rules-full.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgreen27/DetectRaptor/HEAD/yara/yara-rules-full.yar --------------------------------------------------------------------------------