mthcht
diff --git a/‎_utils/threathunting-keywords.csv
Lines changed: 27411 additions & 27012 deletions b/‎_utils/threathunting-keywords.csv
Lines changed: 27411 additions & 27012 deletions
diff --git a/‎yara_rules/greyware_tool_keyword/E-H/guerrillamail.yara
Lines changed: 23 additions & 0 deletions b/‎yara_rules/greyware_tool_keyword/E-H/guerrillamail.yara
Lines changed: 23 additions & 0 deletions
diff --git a/‎yara_rules/greyware_tool_keyword/L-N/MpCmdRun.yara
Lines changed: 4 additions & 4 deletions b/‎yara_rules/greyware_tool_keyword/L-N/MpCmdRun.yara
Lines changed: 4 additions & 4 deletions
diff --git a/‎yara_rules/greyware_tool_keyword/L-N/ldap queries.yara
Lines changed: 25 additions & 22 deletions b/‎yara_rules/greyware_tool_keyword/L-N/ldap queries.yara
Lines changed: 25 additions & 22 deletions
diff --git a/‎yara_rules/greyware_tool_keyword/L-N/maildrop.yara
Lines changed: 17 additions & 0 deletions b/‎yara_rules/greyware_tool_keyword/L-N/maildrop.yara
Lines changed: 17 additions & 0 deletions
diff --git a/‎yara_rules/greyware_tool_keyword/O-Q/pyinstaller.yara
Lines changed: 6 additions & 3 deletions b/‎yara_rules/greyware_tool_keyword/O-Q/pyinstaller.yara
Lines changed: 6 additions & 3 deletions
diff --git a/‎yara_rules/greyware_tool_keyword/O-Q/python.yara
Lines changed: 6 additions & 3 deletions b/‎yara_rules/greyware_tool_keyword/O-Q/python.yara
Lines changed: 6 additions & 3 deletions
@@ -0,0 +1,23 @@
+rule guerrillamail
+{
+    meta:
+        description = "Detection patterns for the tool 'guerrillamail' taken from the ThreatHunting-Keywords github project" 
+        author = "@mthcht"
+        reference = "https://github.com/mthcht/ThreatHunting-Keywords"
+        tool = "guerrillamail"
+        rule_category = "greyware_tool_keyword"
+
+    strings:
+        // Description: using the API of a disposable email address to use anytime - could be abused by malicious actors
+        // Reference: https://www.guerrillamail.com
+        $string1 = /http\:\/\/api\.guerrillamail\.com\/ajax\.php\?/ nocase ascii wide
+        // Description: disposable email address to use anytime.
+        // Reference: https://www.guerrillamail.com
+        $string2 = /https\:\/\/www\.guerrillamail\.com\/compose/ nocase ascii wide
+        // Description: disposable email address to use anytime.
+        // Reference: https://www.guerrillamail.com
+        $string3 = /https\:\/\/www\.guerrillamail\.com\/inbox/ nocase ascii wide
+
+    condition:
+        any of them
+}
@@ -8,12 +8,12 @@ rule MpCmdRun
         rule_category = "greyware_tool_keyword"
 
     strings:
-        // Description: Wipe currently stored definitions
-        // Reference: N/A
-        $string1 = /MpCmdRun\.exe\s\-RemoveDefinitions\s\-All/ nocase ascii wide
         // Description: Defense evasion technique disable windows defender
         // Reference: N/A
-        $string2 = /MpCmdRun\.exe.{0,1000}\s\-disable/ nocase ascii wide
+        $string1 = /MpCmdRun\.exe.{0,1000}\s\-disable/ nocase ascii wide
+        // Description: Wipe currently stored definitions
+        // Reference: N/A
+        $string2 = /MpCmdRun\.exe.{0,1000}\s\-RemoveDefinitions\s\-All/ nocase ascii wide
 
     condition:
         any of them
 
@@ -65,72 +65,75 @@ rule ldap_queries
         // Description: Enumerate all of the domain controllers for all domains in a forest
         // Reference: N/A
         $string19 = /\(Get\-ADForest\)\.Domains\s\|\s\%\{\sGet\-ADDomainController\s\-Filter\s.{0,1000}\s\-Server\s\$_\s\}/ nocase ascii wide
+        // Description: used by Rubeus and S4UTomato tools
+        // Reference: N/A
+        $string20 = /\(msds\-supportedencryptiontypes\=0\)\(msds\-supportedencryptiontypes\:1\.2\.840\.113556\.1\.4\.803\:\=4\)\)\)/ nocase ascii wide
         // Description: Query to find service accounts which are typically high-privileged and targeted for privilege escalation
         // Reference: https://github.com/mthcht/ThreatHunting-Keywords
-        $string20 = /\(objectCategory\=person\)\(objectClass\=user\)\(serviceAccount\=TRUE\)/ nocase ascii wide
+        $string21 = /\(objectCategory\=person\)\(objectClass\=user\)\(serviceAccount\=TRUE\)/ nocase ascii wide
         // Description: Enumerate Domain Admins
         // Reference: https://gist.github.com/jsecurity101/9c7e94f95b8d90f9252d64949562ba5d
-        $string21 = /\(objectclass\=group\)\(samaccountname\=domain\sadmins\)/ nocase ascii wide
+        $string22 = /\(objectclass\=group\)\(samaccountname\=domain\sadmins\)/ nocase ascii wide
         // Description: Accounts Trusted for Delegation
         // Reference: https://gist.github.com/jsecurity101/9c7e94f95b8d90f9252d64949562ba5d
-        $string22 = /\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=524288\)/ nocase ascii wide
+        $string23 = /\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=524288\)/ nocase ascii wide
         // Description: enumeration of Domain Password Policies
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string23 = /\[ADSI\].{0,1000}\s\|\sSelect\-Object\s\-Property\s.{0,1000}lockoutDuration/ nocase ascii wide
+        $string24 = /\[ADSI\].{0,1000}\s\|\sSelect\-Object\s\-Property\s.{0,1000}lockoutDuration/ nocase ascii wide
         // Description: enumeration of Domain Password Policies
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string24 = /\[ADSI\].{0,1000}\s\|\sSelect\-Object\s\-Property\s.{0,1000}lockoutThreshold/ nocase ascii wide
+        $string25 = /\[ADSI\].{0,1000}\s\|\sSelect\-Object\s\-Property\s.{0,1000}lockoutThreshold/ nocase ascii wide
         // Description: enumeration of Domain Password Policies
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string25 = /\[ADSI\].{0,1000}\s\|\sSelect\-Object\s\-Property\s.{0,1000}minPwdLength/ nocase ascii wide
+        $string26 = /\[ADSI\].{0,1000}\s\|\sSelect\-Object\s\-Property\s.{0,1000}minPwdLength/ nocase ascii wide
         // Description: enumeration of Domain Admins group members
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string26 = /\[ADSI\].{0,1000}LDAP\:\/\/CN\=Domain\sAdmins.{0,1000}\|\sForEach\-Object\s\{\[adsi\]\"LDAP\:\/\/\$_\"\}\;\s.{0,1000}\.distinguishedname/ nocase ascii wide
+        $string27 = /\[ADSI\].{0,1000}LDAP\:\/\/CN\=Domain\sAdmins.{0,1000}\|\sForEach\-Object\s\{\[adsi\]\"LDAP\:\/\/\$_\"\}\;\s.{0,1000}\.distinguishedname/ nocase ascii wide
         // Description: get LDAP properties for password settings directly
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string27 = /\[ADSI\].{0,1000}LDAP\:\/\/dc\=.{0,1000}\s\|\sSelect\s\-Property\spwdProperties/ nocase ascii wide
+        $string28 = /\[ADSI\].{0,1000}LDAP\:\/\/dc\=.{0,1000}\s\|\sSelect\s\-Property\spwdProperties/ nocase ascii wide
         // Description: find user descriptions in Active Directory:
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string28 = /\[adsisearcher\]\"\(\&\(objectCategory\=person\)\(objectClass\=user\)\(\!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\)\"\;\s\$users\s\=\s\$searchUsers\.FindAll\(\)\;\s\$userProps\s\=\s\$users\.Properties\;\s\$userProps\s\|\sWhere\-Object\s\{\$_\.description\}/ nocase ascii wide
+        $string29 = /\[adsisearcher\]\"\(\&\(objectCategory\=person\)\(objectClass\=user\)\(\!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\)\"\;\s\$users\s\=\s\$searchUsers\.FindAll\(\)\;\s\$userProps\s\=\s\$users\.Properties\;\s\$userProps\s\|\sWhere\-Object\s\{\$_\.description\}/ nocase ascii wide
         // Description: find all disabled user accounts
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string29 = /\[adsisearcher\]\"\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\"/ nocase ascii wide
+        $string30 = /\[adsisearcher\]\"\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\"/ nocase ascii wide
         // Description: get a count of all inter domain trust accounts
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string30 = /\[adsisearcher\]\"\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2560\)\(\!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\)\"/ nocase ascii wide
+        $string31 = /\[adsisearcher\]\"\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2560\)\(\!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\)\"/ nocase ascii wide
         // Description: Detection of all accounts with 'Password Not Required'
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string31 = /\[adsisearcher\]\"\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=32\)\(\!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\)/ nocase ascii wide
+        $string32 = /\[adsisearcher\]\"\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=32\)\(\!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\)/ nocase ascii wide
         // Description: Enumerate all Domain Controllers
         // Reference: https://web.archive.org/web/20240109000256/https://cyberdom.blog/2024/01/07/defender-for-identity-hunting-for-ldap/
-        $string32 = /\[adsisearcher\]\'\(\&\(objectCategory\=computer\)\(primaryGroupID\=516\)\)\'\)\.FindAll\(\)/ nocase ascii wide
+        $string33 = /\[adsisearcher\]\'\(\&\(objectCategory\=computer\)\(primaryGroupID\=516\)\)\'\)\.FindAll\(\)/ nocase ascii wide
         // Description: Enumerate all accounts that do not require a password
         // Reference: https://jsecurity101.medium.com/uncovering-adversarial-ldap-tradecraft-658b2deca384
-        $string33 = /\[adsisearcher\]\'\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=32\)\)\'\)\.FindAll\(\)/ nocase ascii wide
+        $string34 = /\[adsisearcher\]\'\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=32\)\)\'\)\.FindAll\(\)/ nocase ascii wide
         // Description: ADSI query to retrieve all active user accounts with non-expiring passwords
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string34 = /\[adsisearcher\].{0,1000}\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=66048\)\(\!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)/ nocase ascii wide
+        $string35 = /\[adsisearcher\].{0,1000}\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=66048\)\(\!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)/ nocase ascii wide
         // Description: Discover all Domain Controller in the domain using ADSI
         // Reference: https://adsecurity.org/?p=299
-        $string35 = /\[System\.DirectoryServices\.ActiveDirectory\.Domain\]\:\:GetCurrentDomain\(\)\.DomainControllers/ nocase ascii wide
+        $string36 = /\[System\.DirectoryServices\.ActiveDirectory\.Domain\]\:\:GetCurrentDomain\(\)\.DomainControllers/ nocase ascii wide
         // Description: Discover all Global Catalogs in the forest using ADSI
         // Reference: https://adsecurity.org/?p=299
-        $string36 = /\[System\.DirectoryServices\.ActiveDirectory\.Forest\]\:\:GetCurrentForest\(\)\.GlobalCatalogs/ nocase ascii wide
+        $string37 = /\[System\.DirectoryServices\.ActiveDirectory\.Forest\]\:\:GetCurrentForest\(\)\.GlobalCatalogs/ nocase ascii wide
         // Description: query for the primary domain controller within the forest
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string37 = /\[System\.DirectoryServices\.ActiveDirectory\.Forest\]\:\:GetCurrentForest\(\)\.RootDomain\.PDCRoleOwner\.Name/ nocase ascii wide
+        $string38 = /\[System\.DirectoryServices\.ActiveDirectory\.Forest\]\:\:GetCurrentForest\(\)\.RootDomain\.PDCRoleOwner\.Name/ nocase ascii wide
         // Description: cmdlets to get computer information about Domain Controllers
         // Reference: https://adsecurity.org/?p=299
-        $string38 = /get\-ADComputer\s\-filter\s\{\sPrimaryGroupID\s\-eq\s\"516\"\s\}\s\-properties\sPrimaryGroupID/ nocase ascii wide
+        $string39 = /get\-ADComputer\s\-filter\s\{\sPrimaryGroupID\s\-eq\s\"516\"\s\}\s\-properties\sPrimaryGroupID/ nocase ascii wide
         // Description: identifying accounts with 'Password Not Required
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string39 = /Get\-ADUser\s\-filter\s.{0,1000}\s\-Properties\sSamAccountName\,\sPasswordNotRequired\s\|\swhere\s\{\s\$_\.passwordnotrequired\s\-eq\s\"true\"\s\}\s\|\swhere\s\{\$_\.enabled\s\-eq\s\"true\"\}/ nocase ascii wide
+        $string40 = /Get\-ADUser\s\-filter\s.{0,1000}\s\-Properties\sSamAccountName\,\sPasswordNotRequired\s\|\swhere\s\{\s\$_\.passwordnotrequired\s\-eq\s\"true\"\s\}\s\|\swhere\s\{\$_\.enabled\s\-eq\s\"true\"\}/ nocase ascii wide
         // Description: querying accounts that have not been logged into for over 90 days
         // Reference: https://github.com/swarleysez/AD-common-queries
-        $string40 = /Get\-ADUser\s\-properties\s.{0,1000}\s\-filter\s\{\(lastlogondate\s\-notlike\s\".{0,1000}\"\s\-OR\slastlogondate\s\-le\s\$90days\)\s\-AND\s\(passwordlastset\s\-le\s\$90days\)\s\-AND\s\(enabled\s\-eq\s\$True\)\s\-and\s\(PasswordNeverExpires\s\-eq\s\$false\)\s\-and\s\(whencreated\s\-le\s\$90days\)\}/ nocase ascii wide
+        $string41 = /Get\-ADUser\s\-properties\s.{0,1000}\s\-filter\s\{\(lastlogondate\s\-notlike\s\".{0,1000}\"\s\-OR\slastlogondate\s\-le\s\$90days\)\s\-AND\s\(passwordlastset\s\-le\s\$90days\)\s\-AND\s\(enabled\s\-eq\s\$True\)\s\-and\s\(PasswordNeverExpires\s\-eq\s\$false\)\s\-and\s\(whencreated\s\-le\s\$90days\)\}/ nocase ascii wide
         // Description: Red Teams and adversaries may leverage [Adsisearcher] to enumerate domain groups for situational awareness and Active Directory Discovery
         // Reference: https://research.splunk.com/endpoint/089c862f-5f83-49b5-b1c8-7e4ff66560c7/
-        $string41 = /powershell.{0,1000}\[adsisearcher\].{0,1000}\(objectcategory\=group\).{0,1000}findAll\(\)/ nocase ascii wide
+        $string42 = /powershell.{0,1000}\[adsisearcher\].{0,1000}\(objectcategory\=group\).{0,1000}findAll\(\)/ nocase ascii wide
 
     condition:
         any of them
 
@@ -0,0 +1,17 @@
+rule maildrop
+{
+    meta:
+        description = "Detection patterns for the tool 'maildrop' taken from the ThreatHunting-Keywords github project" 
+        author = "@mthcht"
+        reference = "https://github.com/mthcht/ThreatHunting-Keywords"
+        tool = "maildrop"
+        rule_category = "greyware_tool_keyword"
+
+    strings:
+        // Description: disposable email address to use anytime.
+        // Reference: https://maildrop.cc/
+        $string1 = /https\:\/\/maildrop\.cc\/inbox\/\?mailbox\=/ nocase ascii wide
+
+    condition:
+        any of them
+}
@@ -22,13 +22,16 @@ rule pyinstaller
         $string4 = /pyinstaller\s.{0,1000}\.py/ nocase ascii wide
         // Description: PyInstaller bundles a Python application and all its dependencies into a single package executable.
         // Reference: https://www.pyinstaller.org/
-        $string5 = /pyinstaller\.exe/ nocase ascii wide
+        $string5 = /pyinstaller.{0,1000}\s\-\-onefile\s\-\-add\-data\s/ nocase ascii wide
         // Description: PyInstaller bundles a Python application and all its dependencies into a single package executable.
         // Reference: https://www.pyinstaller.org/
-        $string6 = /pyinstaller\/tarball/ nocase ascii wide
+        $string6 = /pyinstaller\.exe/ nocase ascii wide
         // Description: PyInstaller bundles a Python application and all its dependencies into a single package executable.
         // Reference: https://www.pyinstaller.org/
-        $string7 = /pyinstaller\-script\.py/ nocase ascii wide
+        $string7 = /pyinstaller\/tarball/ nocase ascii wide
+        // Description: PyInstaller bundles a Python application and all its dependencies into a single package executable.
+        // Reference: https://www.pyinstaller.org/
+        $string8 = /pyinstaller\-script\.py/ nocase ascii wide
 
     condition:
         any of them
 
@@ -8,15 +8,18 @@ rule python
         rule_category = "greyware_tool_keyword"
 
     strings:
+        // Description: suspicious way of exeuting code
+        // Reference: https://x.com/Ax_Sharma/status/1795813203500322953/photo/4
+        $string1 = /\s\,exec\(__import__\(\'base64\'\)\.b64decode\(\"/ nocase ascii wide
         // Description: interactive shell
         // Reference: N/A
-        $string1 = /\s\-c\s\'import\spty\;pty\.spawn\(\"\/bin\/bash/ nocase ascii wide
+        $string2 = /\s\-c\s\'import\spty\;pty\.spawn\(\"\/bin\/bash/ nocase ascii wide
         // Description: interactive shell
         // Reference: N/A
-        $string2 = /\s\-c\s\'import\spty\;pty\.spawn\(\"\/bin\/sh/ nocase ascii wide
+        $string3 = /\s\-c\s\'import\spty\;pty\.spawn\(\"\/bin\/sh/ nocase ascii wide
         // Description: interactive shell
         // Reference: N/A
-        $string3 = /\s\-c\s\'import\spty\;pty\.spawn\(\\\"\/bin\/sh/ nocase ascii wide
+        $string4 = /\s\-c\s\'import\spty\;pty\.spawn\(\\\"\/bin\/sh/ nocase ascii wide
 
     condition:
         any of them