From 7f3e82c5881a637ee2eb86c6aefba32ba86904b4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 1 Apr 2026 04:30:47 +0000 Subject: [PATCH] chore: archive new rule references and update cache file --- .github/latest_archiver_output.md | 1099 ++++++++++++++--------------- tests/rule-references.txt | 32 + 2 files changed, 572 insertions(+), 559 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index 493df060144..b031813e9ea 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,616 +1,597 @@ # Reference Archiver Results -Last Execution: 2026-03-01 02:19:10 +Last Execution: 2026-04-01 04:30:46 ### Archiver Script Results #### Newly Archived References -N/A +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection #### Already Archived References -- https://gtfobins.github.io/gtfobins/curl/ -- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html -- https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724 -- https://github.com/clearvector/lambda-spy -- https://fourcore.io/blogs/threat-hunting-browser-credential-stealing -- https://docs.python.org/2/library/simplehttpserver.html -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/ -- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance -- https://www.chrisfarris.com/post/effective-aws-ransomware/ -- https://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md -- https://nvd.nist.gov/vuln/detail/CVE-2025-2825 -- https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/ -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group -- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91 -- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178 +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html +- https://www.huntress.com/blog/silencing-the-edr-silencers +- https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/ +- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage +- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/ +- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c +- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files +- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md +- https://x.com/cyberfeeddigest/status/1887041526397587859 +- https://www.fortiguard.com/psirt/FG-IR-24-535 +- https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage +- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event +- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html +- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html +- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ +- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ +- https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs +- https://tria.ge/241231-j9yatstqbm/behavioral1 +- https://blog.axelarator.net/hunting-for-edr-freeze/ +- https://www.broadcom.com/support/security-center/protection-bulletin/funksec-ransomware +- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/ +- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware #### Error While Archiving References -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://www.linkedin.com/posts/mauricefielenbach_sharepoint-incidentresponse-windowssecurity-activity-7352653907363303425-bL2f -- https://unicornofhunt.com/2025/05/22/When-Unicorns-Go-Quiet-BITS-Jobs-and-the-Art-of-Stealthy-Transfers/ -- https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke -- https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/ -- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html -- https://unit42.paloaltonetworks.com/cve-2025-59287/ -- https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html -- https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html -- https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16 -- https://x.com/Wietze/status/1933495426952421843 -- https://paper.seebug.org/1495/ +- https://research.checkpoint.com/2025/stealth-falcon-zero-day/ +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675 +- https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/ +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc +- https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/ +- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ +- https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/ +- https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251 - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules -- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ -- https://www.cisa.gov/stopransomware/ransomware-guide -- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access -- https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53 -- https://localtonet.com/documents/supported-tunnels -- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/ - https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/ -- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://tria.ge/241015-l98snsyeje/behavioral2 -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://securelist.com/sidewinder-apt/114089/ -- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36 +- https://itm4n.github.io/cdpsvc-dll-hijacking/ +- https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility +- https://huntress.com/blog/esxi-vm-escape-exploit +- https://woshub.com/disable-credential-guard-windows/ - https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://www.joesandbox.com/analysis/1605063/0/html -- https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415 -- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/ +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ +- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/ +- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ +- https://man7.org/linux/man-pages/man2/personality.2.html +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://github.com/grayhatkiller/SharpExShell +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +- https://notepad-plus-plus.org/news/v889-released/ +- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/ +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/ +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ +- https://www.attackiq.com/2023/09/20/emulating-rhysida/ +- https://www.joesandbox.com/analysis/1467354/0/html +- https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/ +- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray +- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3 +- https://securelist.com/sidewinder-apt/114089/ +- https://github.com/0xthirteen/SharpMove/ +- https://lolbas-project.github.io/#/download +- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d +- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://adsecurity.org/?p=1785 +- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://intel.thedfirreport.com/eventReports/view/57 -- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/ -- https://github.com/CoreyCBurton/DripLoaderNG -- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/ -- https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure -- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer -- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python -- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790 -- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-policy -- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675 -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://github.com/trufflesecurity/trufflehog -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc -- https://github.com/TwoSevenOneT/EDR-Freeze -- https://pentestlab.blog/2022/03/21/unconstrained-delegation/ -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard -- https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639 +- https://www.coreycburton.com/blog/driploader-case-study +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md +- https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7 +- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/ +- https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493 +- https://www.linkedin.com/posts/mauricefielenbach_sharepoint-incidentresponse-windowssecurity-activity-7352653907363303425-bL2f +- https://github.com/amidaware/tacticalrmm +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local +- https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468 +- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/ +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ - https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/ -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry -- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/ -- https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399 -- https://redfoxsec.com/blog/ipv6-dns-takeover/ +- https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm +- https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 +- https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/ +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 - https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html -- https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2 -- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session -- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/ -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://www.cisa.gov/known-exploited-vulnerabilities-catalog -- https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://x.com/cyberfeeddigest/status/1887041526397587859 -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 -- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites -- https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing -- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt -- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ +- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/ +- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/ +- https://adsecurity.org/?p=3377 +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ +- https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399 - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +- https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html +- https://mrd0x.com/filefix-clickfix-alternative/ +- https://github.com/TwoSevenOneT/EDR-Freeze +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://docs.python.org/3/library/http.server.html +- https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions +- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c -- https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1 -- https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html -- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://github.com/rtecCyberSec/SpeechRuntimeMove +- https://www.jamf.com/blog/infostealers-pose-threat-to-macos/ +- https://www.scip.ch/en/?labs.20240523 +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +- https://docs.datadoghq.com/security/default_rules/719-39f-9cd/ +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ +- https://learn.microsoft.com/en-us/windows/wsl/install - https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16 +- https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://awscli.amazonaws.com/v2/documentation/api/2.14.0/reference/account/enable-region.html +- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ +- https://redcanary.com/blog/threat-intelligence/msix-installers/ - https://twitter.com/Kostastsale/status/1480716528421011458 -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://dfir.ch/posts/linux_capabilities/ -- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://ss64.com/osx/sw_vers.html -- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/ -- https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions -- https://blu.org/mhonarc/discuss/2001/04/msg00285.php -- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii -- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ -- https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware -- https://docs.microsoft.com/en-us/sql/tools/bcp-utility -- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html -- https://lolbas-project.github.io/#/download -- https://man7.org/linux/man-pages/man2/personality.2.html -- https://research.checkpoint.com/2025/stealth-falcon-zero-day/ -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ -- https://www.softperfect.com/products/networkscanner/ -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://github.com/amidaware/tacticalrmm -- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://ngrok.com/blog-post/new-ngrok-domains -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis -- https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation -- https://github.com/mhaskar/FsquirtCPLPoC -- https://learn.microsoft.com/en-us/windows/wsl/install -- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://awscli.amazonaws.com/v2/documentation/api/2.14.0/reference/account/enable-region.html -- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/ -- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin -- https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix -- https://naikordian.github.io/blog/posts/brute-force-aws-console/ -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/ -- https://securelist.com/apt41-in-africa/116986/ -- https://tria.ge/231023-lpw85she57/behavioral2 -- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/ -- https://github.com/0xthirteen/SharpMove/ -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla -- https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/ +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start +- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf +- https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004 +- https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall +- https://app.any.run/tasks/8901e2d5-0c5a-48ba-a8e9-10b5ed7e06f4 +- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef +- https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing +- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/ +- https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html +- https://jgspiers.com/audit-group-policy-changes/ +- https://vmois.dev/query-signal-desktop-messages-sqlite/ +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://viz.greynoise.io/tags/hello-world-scraper-botnet?days=30 +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://www.youtube.com/watch?v=uSYvHUVU8xY +- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior +- https://gtfobins.github.io/gtfobins/gawk/#shell +- https://github.com/h4rmy/KDU +- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ +- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md +- https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf - https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation +- https://man7.org/linux/man-pages/man8/setcap.8.html +- https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md +- https://github.com/varwara/CVE-2024-35250 +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 - https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml -- https://github.com/The-Viper-One/Invoke-PowerDPAPI/ -- https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/ -- https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 +- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings +- https://www.man7.org/linux/man-pages/man1/systemctl.1.html - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml -- https://juggernaut-sec.com/capabilities/#cap_setgid -- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef -- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c -- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/ -- https://pwn.guide/free/web/crushftp -- https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1 +- https://x.com/Threatlabz/status/1879956781360976155 +- https://www.softperfect.com/products/networkscanner/ +- https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/ +- https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron +- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/ +- https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows +- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790 +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/ +- https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://github.com/CoreyCBurton/DripLoaderNG +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36 - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html -- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps -- https://www.huntress.com/blog/silencing-the-edr-silencers -- https://vmois.dev/query-signal-desktop-messages-sqlite/ -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml -- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/ -- https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh -- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ -- https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html -- https://feeds.alphasoc.net/bad-etlds.txt -- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/ -- https://ss64.com/nt/set.html +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites +- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules +- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1 +- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/ +- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/ +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://juggernaut-sec.com/capabilities/#cap_setuid +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed - https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal -- https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan -- https://github.com/Arno0x/DNSExfiltrator/ -- https://x.com/wietze/status/1958302556033065292?s=12 -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/ -- https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md -- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ -- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952 -- https://man7.org/linux/man-pages/man2/sysinfo.2.html -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon -- https://twitter.com/th3_protoCOL/status/1536788652889497600 -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://www.loobins.io/binaries/xattr/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +- https://asec.ahnlab.com/en/40263/ +- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin +- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2 +- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/ +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://ss64.com/nt/set.html +- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference -- https://github.com/grayhatkiller/SharpExShell -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://cert.gov.ua/article/6284080 +- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python +- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ +- https://github.com/msanft/CVE-2025-55182 - https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps -- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/ -- https://adsecurity.org/?p=3377 -- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage -- https://x.com/byrne_emmy12099/status/1932346420226658668 -- https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes -- https://moonlock.com/amos-backdoor-persistent-access -- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html -- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ -- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457 -- https://blog.axelarator.net/hunting-for-edr-freeze/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060 -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel -- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md#atomic-test-3---create-hidden-user-in-registry -- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://www.coreycburton.com/blog/driploader-case-study -- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ -- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://ss64.com/nt/schtasks.html -- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure -- https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/ -- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md -- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior -- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 -- https://github.com/TwoSevenOneT/WSASS -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ -- https://github.com/JohnHammond/recaptcha-phish -- https://labs.nettitude.com/blog/introducing-sharpwsus/ -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://redcanary.com/blog/threat-intelligence/msix-installers/ -- https://gtfobins.github.io/gtfobins/gawk/#shell -- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/ -- https://man7.org/linux/man-pages/man2/syslog.2.html +- https://www.loobins.io/binaries/xattr/ +- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html +- https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16 +- https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/ +- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324 +- https://github.com/mhaskar/FsquirtCPLPoC +- https://pwn.guide/free/web/crushftp - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ -- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ -- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html -- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ -- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/ -- https://redcanary.com/blog/threat-detection/process-masquerading/ -- https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/ -- https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://github.com/msanft/CVE-2025-55182 -- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://github.com/h4rmy/KDU -- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear -- https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493 -- https://securelist.com/notepad-supply-chain-attack/118708/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/ -- https://asec.ahnlab.com/en/40263/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/ -- https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement -- https://github.com/rtecCyberSec/BitlockMove +- https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ - https://github.com/nasbench/Misc-Research/blob/fc46f6da34ff7e0076da28fd3e66d6e1100f1c2f/ETW/Microsoft-Windows-SMBClient.md -- https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/ -- https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/ -- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md -- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/ -- https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870 +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-policy +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/ -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/ -- https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html -- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking -- https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/ -- https://mrd0x.com/filefix-clickfix-alternative/ -- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://gtfobins.github.io/gtfobins/capsh/#shell -- https://intel.thedfirreport.com/eventReports/view/70 -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/ -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://x.com/Max_Mal_/status/1826179497084739829 -- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/ -- https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/ -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054 -- https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad -- https://www.scip.ch/en/?labs.20240523 -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms -- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/ +- https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior +- https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50 +- https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +- https://cert.gov.ua/article/6277849 +- https://www.cyberciti.biz/faq/linux-remove-user-command/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://megatools.megous.com/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today +- https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules +- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/ +- https://news.ycombinator.com/item?id=29504755 +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ +- https://github.com/trufflesecurity/trufflehog +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis +- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/ -- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event -- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://github.com/Arno0x/DNSExfiltrator/ +- https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/ +- https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/ +- https://www.security.com/threat-intelligence/medusa-ransomware-attacks - https://nodejs.org/api/child_process.html#class-childprocess -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/ +- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers +- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457 +- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ +- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11 +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://www.loobins.io/binaries/nscurl/ +- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ +- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://juggernaut-sec.com/capabilities/#cap_setgid +- https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/ +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://naikordian.github.io/blog/posts/brute-force-aws-console/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 +- https://www.joesandbox.com/analysis/1605063/0/html +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- https://www.trendmicro.com/en_us/research/25/f/water-curse.html +- https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/ +- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/ +- https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060 - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053 -- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 +- https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/ +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer - https://docs.aws.amazon.com/accounts/latest/reference/API_EnableRegion.html -- https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/ -- https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://x.com/Threatlabz/status/1879956781360976155 -- https://github.com/rapid7/metasploit-framework/issues/11337 -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://tria.ge/240731-jh4crsycnb/behavioral2 -- https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 -- https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468 -- https://app.any.run/tasks/ae3c4ded-fd6a-43ed-8215-ba0ba574ad33 -- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/ -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin -- https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2 -- https://itm4n.github.io/cdpsvc-dll-hijacking/ -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324 -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://megatools.megous.com/ -- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://www.jamf.com/blog/infostealers-pose-threat-to-macos/ -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png -- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/ -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt -- https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://trustedsec.com/blog/command-line-underdog-wmic-in-action -- https://github.com/mulwareX/CVE-2025-6218-POC -- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/ -- https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/ -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://www.fortiguard.com/psirt/FG-IR-24-535 -- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://x.com/JangPr0/status/1932034543026065833 -- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs -- https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b -- https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/ -- https://github.com/rtecCyberSec/SpeechRuntimeMove -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address -- https://x.com/0x534c/status/1944694507787710685 -- https://www.loobins.io/binaries/nscurl/ -- https://gtfobins.github.io/gtfobins/gcc/#shell -- https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis -- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/ +- https://github.com/The-Viper-One/Invoke-PowerDPAPI/ +- https://x.com/Max_Mal_/status/1826179497084739829 +- https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/ +- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/ +- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml +- https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://intel.thedfirreport.com/eventReports/view/57 +- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16 +- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/ - https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- https://www.loobins.io/binaries/pbpaste/ -- https://news.ycombinator.com/item?id=29504755 -- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html -- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/ -- https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8 -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://juggernaut-sec.com/capabilities/#cap_setuid -- https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/ -- https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://notepad-plus-plus.org/news/v889-released/ -- https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50 -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://cert.gov.ua/article/6284080 -- https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html -- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ -- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/ -- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware -- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/ -- https://www.security.com/threat-intelligence/medusa-ransomware-attacks -- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ -- https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/ -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3 -- https://manual.cs50.io/2/personality -- https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures -- https://en.wikipedia.org/wiki/Right-to-left_override -- https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging -- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py -- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior -- https://github.com/logangoins/Krueger/tree/main -- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf -- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events - https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/ -- https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled -- https://github.com/varwara/CVE-2024-35250 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://redcanary.com/threat-detection-report/techniques/installer-packages/ +- https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53 +- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation +- https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://man7.org/linux/man-pages/man1/dmesg.1.html +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix +- https://github.com/rtecCyberSec/BitlockMove +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ - https://linux.die.net/man/8/auditct -- https://www.broadcom.com/support/security-center/protection-bulletin/funksec-ransomware -- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability -- https://bazaar.abuse.ch/browse/tag/one/ +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2 +- https://feeds.alphasoc.net/bad-etlds.txt +- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy +- https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/ -- https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm -- https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/ -- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication -- https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV -- https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11 -- https://jgspiers.com/audit-group-policy-changes/ -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf -- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings -- https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md -- https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/ -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md -- https://x.com/0gtweet/status/1564131230941122561 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251 -- https://www.man7.org/linux/man-pages/man1/systemctl.1.html -- https://gtfobins.github.io/gtfobins/rsync/#shell -- https://www.trendmicro.com/en_us/research/25/f/water-curse.html -- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump -- https://www.youtube.com/watch?v=uSYvHUVU8xY -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://man7.org/linux/man-pages/man1/dmesg.1.html -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf -- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/ -- https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site +- https://x.com/0x534c/status/1944694507787710685 +- https://pentestlab.blog/2022/03/21/unconstrained-delegation/ +- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware +- https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://www.pcrisk.com/removal-guides/31853-funklocker-funksec-ransomware +- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear +- https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md +- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/ +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration +- https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html +- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/ +- https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry +- https://localtonet.com/documents/supported-tunnels +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://en.wikipedia.org/wiki/Right-to-left_override +- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/ +- https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html - https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ -- https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3 -- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity -- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH -- https://docs.python.org/3/library/http.server.html -- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr -- https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today +- https://tria.ge/231023-lpw85she57/behavioral2 +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://x.com/wietze/status/1958302556033065292?s=12 +- https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample +- https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16 +- https://paper.seebug.org/1495/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/ +- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ - https://firecompass.com/crushftp-vulnerability-cve-2025-54309-securing-file-transfer-services/ -- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/ -- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ -- https://restic.net/ -- https://woshub.com/disable-credential-guard-windows/ -- https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/ -- https://www.virustotal.com/gui/file/d2a4f52a9923336f119a52e531bbb1e66f18322fd8efa9af1a64b94f4d36dc97 -- https://tria.ge/241231-j9yatstqbm/behavioral1 -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer -- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html -- https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/ +- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://app.any.run/tasks/ae3c4ded-fd6a-43ed-8215-ba0ba574ad33 +- https://man7.org/linux/man-pages/man2/sysinfo.2.html +- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr +- https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site +- https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/ +- https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/ +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html +- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952 +- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events +- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws +- https://trustedsec.com/blog/command-line-underdog-wmic-in-action +- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html +- https://bazaar.abuse.ch/browse/tag/one/ +- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_ +- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ +- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start +- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md +- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/ +- https://ss64.com/osx/sw_vers.html +- https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/ +- https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes +- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44 +- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html +- https://manual.cs50.io/2/personality +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://dfir.ch/posts/linux_capabilities/ +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html +- https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/ +- https://github.com/mulwareX/CVE-2025-6218-POC +- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/ +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://unit42.paloaltonetworks.com/chromeloader-malware/ +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://gtfobins.github.io/gtfobins/gcc/#shell +- https://redfoxsec.com/blog/ipv6-dns-takeover/ +- https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis +- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea +- https://x.com/byrne_emmy12099/status/1932346420226658668 +- https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/ +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123 +- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack +- https://unicornofhunt.com/2025/05/22/When-Unicorns-Go-Quiet-BITS-Jobs-and-the-Art-of-Stealthy-Transfers/ +- https://gtfobins.github.io/gtfobins/capsh/#shell +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://cert.gov.ua/article/6277849 -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect -- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml -- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/ -- https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm +- https://x.com/0gtweet/status/1564131230941122561 +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html +- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md +- https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/ +- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump +- https://ngrok.com/blog-post/new-ngrok-domains +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639 +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ +- https://unit42.paloaltonetworks.com/cve-2025-59287/ +- https://tria.ge/241015-l98snsyeje/behavioral2 +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack -- https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7 -- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7 -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement +- https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1 +- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054 +- https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8 +- https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms +- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html +- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html +- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md#atomic-test-3---create-hidden-user-in-registry +- https://www.virustotal.com/gui/file/d2a4f52a9923336f119a52e531bbb1e66f18322fd8efa9af1a64b94f4d36dc97 +- https://securelist.com/apt41-in-africa/116986/ +- https://ss64.com/nt/schtasks.html +- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ +- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure +- https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/ +- https://gtfobins.github.io/gtfobins/rsync/#shell - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://www.pcrisk.com/removal-guides/31853-funklocker-funksec-ransomware -- https://www.joesandbox.com/analysis/1467354/0/html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://www.cisa.gov/known-exploited-vulnerabilities-catalog +- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7 +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm +- https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 +- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps - https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_AWS_Management_Console_Brute_Force_of_Root_User_Identity.htm +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html -- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44 -- https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002 -- https://redcanary.com/threat-detection-report/techniques/installer-packages/ -- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ -- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection -- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions -- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 -- https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123 -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://man7.org/linux/man-pages/man8/setcap.8.html -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ -- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/ -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample -- https://viz.greynoise.io/tags/hello-world-scraper-botnet?days=30 -- https://adsecurity.org/?p=1785 -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules -- https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/ -- https://app.any.run/tasks/8901e2d5-0c5a-48ba-a8e9-10b5ed7e06f4 -- https://huntress.com/blog/esxi-vm-escape-exploit -- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/ -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://docs.datadoghq.com/security/default_rules/719-39f-9cd/ +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard +- https://github.com/logangoins/Krueger/tree/main +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- https://scythe.io/threat-thursday/threatthursday-darkside-ransomware +- https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure +- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging +- https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan +- https://github.com/rapid7/metasploit-framework/issues/11337 +- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/ +- https://www.loobins.io/binaries/pbpaste/ +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://moonlock.com/amos-backdoor-persistent-access +- https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/ +- https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode - https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm -- https://taggart-tech.com/evildeno/ +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla +- https://securelist.com/notepad-supply-chain-attack/118708/ +- https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/ +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://man7.org/linux/man-pages/man2/syslog.2.html +- https://x.com/JangPr0/status/1932034543026065833 +- https://intel.thedfirreport.com/eventReports/view/70 +- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion +- https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware - https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f -- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/ +- https://x.com/Wietze/status/1933495426952421843 +- https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/ +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://restic.net/ +- https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution +- https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/ +- https://taggart-tech.com/evildeno/ +- https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html +- https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3 +- https://www.cisa.gov/stopransomware/ransomware-guide +- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/ +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke - https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- https://github.com/JohnHammond/recaptcha-phish +- https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html +- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting +- https://github.com/TwoSevenOneT/WSASS +- https://blu.org/mhonarc/discuss/2001/04/msg00285.php +- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/ +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution +- https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/ +- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal diff --git a/tests/rule-references.txt b/tests/rule-references.txt index 68b79ff5ae2..803d8eea48d 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -194,6 +194,7 @@ https://blog.alyac.co.kr/1901 https://blog.aquasec.com/container-security-tnt-container-attack https://blog.assetnote.io/2021/11/02/sitecore-rce/ https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/ +https://blog.axelarator.net/hunting-for-edr-freeze/ https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html @@ -255,6 +256,7 @@ https://blog.router-switch.com/2013/11/show-running-config/ https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar https://blog.sekoia.io/darkgate-internals/ https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/ +https://blog.sekoia.io/scattered-spider-laying-new-eggs/ https://blog.skyplabs.net/posts/container-detection/ https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/ https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack @@ -325,6 +327,7 @@ https://bunnyinside.com/?term=f71e8cb9c76a https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit https://car.mitre.org/wiki/CAR-2013-05-002 https://car.mitre.org/wiki/CAR-2016-04-005 +https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/ https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/ https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode @@ -476,11 +479,13 @@ https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html +https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance https://docs.djangoproject.com/en/1.11/ref/exceptions/ https://docs.djangoproject.com/en/1.11/topics/logging/#django-security https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group +https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-logid-event-config-attr https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts @@ -564,6 +569,7 @@ https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-21 https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy +https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps @@ -750,6 +756,7 @@ https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b3363 https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ https://evasions.checkpoint.com/techniques/macos.html +https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ https://f5.pm/go-59627.html https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ @@ -881,6 +888,7 @@ https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS https://github.com/CCob/MirrorDump https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md +https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md https://github.com/CICADA8-Research/RemoteKrbRelay https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11 @@ -924,6 +932,7 @@ https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/ https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38 https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_ +https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC https://github.com/dsnezhkov/TruffleSnout https://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md @@ -1715,6 +1724,7 @@ https://github.security.telekom.com/2023/08/darkgate-loader.html https://githubmemory.com/repo/FunctFan/JNDIExploit https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques +https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf https://goo.gl/PsqrhT https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html @@ -1917,6 +1927,7 @@ https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-install https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner @@ -1957,6 +1968,7 @@ https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-aud https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0 https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview +https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 @@ -2036,6 +2048,7 @@ https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/se https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701 https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140 @@ -2110,6 +2123,7 @@ https://learn.microsoft.com/en-us/windows-server/administration/windows-commands https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies @@ -2378,6 +2392,7 @@ https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-a https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 +https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035 https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 @@ -2447,6 +2462,7 @@ https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely- https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/ https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/ https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/ https://ngrok.com/ https://ngrok.com/docs @@ -2900,6 +2916,7 @@ https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomw https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ +https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/ https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/ https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html @@ -2946,6 +2963,7 @@ https://tria.ge/240226-fhbe7sdc39/behavioral1 https://tria.ge/240301-rk34sagf5x/behavioral2 https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt https://tria.ge/240521-ynezpagf56/behavioral1 +https://tria.ge/241231-j9yatstqbm/behavioral1 https://trustedsec.com/blog/adexplorer-on-engagements https://trustedsec.com/blog/oops-i-udld-it-again https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change @@ -3442,6 +3460,7 @@ https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-3 https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe +https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 @@ -3457,6 +3476,7 @@ https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017 https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html @@ -3543,6 +3563,7 @@ https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html https://www.blumira.com/cve-2023-2283/ +https://www.broadcom.com/support/security-center/protection-bulletin/funksec-ransomware https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ @@ -3687,6 +3708,7 @@ https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-0003 https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf https://www.forensafe.com/blogs/runmrukey.html +https://www.fortiguard.com/psirt/FG-IR-24-535 https://www.fortiguard.com/threat-signal-report/4718?s=09 https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document @@ -3708,6 +3730,7 @@ https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d https://www.gpg4win.de/documentation.html https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/ +https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/ @@ -3715,6 +3738,7 @@ https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-an https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/ https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/ +https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/ @@ -3725,6 +3749,7 @@ https://www.huntress.com/blog/attacking-mssql-servers https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +https://www.huntress.com/blog/silencing-the-edr-silencers https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 https://www.huntress.com/blog/the-unwanted-guest https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild @@ -3780,6 +3805,7 @@ https://www.jpcert.or.jp/english/pub/sr/ir_research.html https://www.justice.gov/file/1080281/download https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ +https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone @@ -3855,6 +3881,7 @@ https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mi https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ +https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/ https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ @@ -4209,6 +4236,7 @@ https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d42 https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474 https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files https://www.virustotal.com/gui/search/metadata%253ACube0x0/files @@ -4230,6 +4258,7 @@ https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ +https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/ @@ -4264,7 +4293,9 @@ https://www.zerodayinitiative.com/advisories/ZDI-23-491/ https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html https://www.zoocoup.org/casper/jamf_cheatsheet.pdf +https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution @@ -4273,6 +4304,7 @@ https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransom https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 https://x.com/_st0pp3r_/status/1742203752361128162?s=20 https://x.com/cyb3rops/status/1862406110365245506 +https://x.com/cyberfeeddigest/status/1887041526397587859 https://x.com/defusedcyber/status/1971492272966598683 https://x.com/nas_bench/status/1868639048484425963 https://x.com/NullSecurityX/status/1937444064867029179