# # LOKI File Name Characteristics # This file contains regex definitions and a description # # APPLICATION ------------------------------------------------------------------ # # Every line is treated as REGEX case sensitive. # Every line includes a description that gives information about the file name # based IOC # # FORMAT ----------------------------------------------------------------------- # # # COMMENT # REGEX;SCORE # # EXAMPLES --------------------------------------------------------------------- # # # Various examples from APT case X # \\svcsstat\.exe;70 # \\(server|servisces|smrr|srrm|svchost|svhost|svshost|taskmrg)\.exe$;50 # ProgramData\\Mail\\MailAg\\;80 # (Anwendungsdaten|Application Data|APPDATA)\\sydmain\.dll;80 # (TEMP|Temp)\\[^\\"]+\.(xmd|yls)$;80 # (LOCAL SETTINGS\\Temp|Local Settings\\Temp|Local\\Temp)\\(word\.exe|winword\.exe)[^\.];80 # # Ncat Example # bin\\nc\.exe;80 # Regin \\usbclass\.sys;80 \\adpu160\.sys;80 \\msrdc64\.dat;80 \\msdcsvc\.dat;80 \\config\\SystemAudit\.Evt;80 \\config\\SecurityAudit\.Evt;80 \\config\\SystemLog\.evt;80 \\config\\ApplicationLog\.evt;80 \\ime\\imesc5\\dicts\\pintlgbs\.imd;80 \\ime\\imesc5\\dicts\\pintlgbp\.imd;80 ystem32\\winhttpc\.dll;80 ystem32\\wshnetc\.dll;80 \\SysWow64\\wshnetc\.dll;80 ystem32\\svcstat\.exe;80 ystem32\\svcsstat\.exe;80 IME\\IMESC5\\DICTS\\PINTLGBP\.IMD;80 ystem32\\wsharp\.dll;80 ystem32\\wshnetc\.dll;80 pchealth\\helpctr\\Database\\cdata\.dat;80 pchealth\\helpctr\\Database\\cdata\.edb;80 Windows\\Panther\\setup\.etl\.000;80 ystem32\\wbem\\repository\\INDEX2\.DATA;80 ystem32\\wbem\\repository\\OBJECTS2\.DATA;80 ystem32\\dnscache\.dat;80 ystem32\\mregnx\.dat;80 ystem32\\displn32\.dat;80 ystem32\\dmdskwk\.dat;80 ystem32\\nvwrsnu\.dat;80 ystem32\\tapiscfg\.dat;80 ystem32\\pciclass\.sys;80 # Five Eyes \\20120\.dll;80 \\20121\.dll;80 \\20123\.sys;80 # Skeleton Key File Names \\msuta64\.dll;80 \\ole64\.dll;80 # IXESHE APT Malware \\winhlps\.exe;80 \\acrotry\.exe;80 # PlugX (TEMP|TMP|Temp)\\DW20\.dll;80 (TEMP|TMP|Temp)\\DW20\.dll;80 (TEMP|TMP|Temp)\\dl_[0-9]{2}\.exe;80 (TEMP|TMP|Temp)\\dl_[0-9]{2}\.txt;80 (Mailing|Shipment).*Label\.exe;80 # Mandiant APT \\Temp\\~df~;80 \\Temp\\~hf~;80 \\Temp\\~[a-z][a-z]~;80 \\start menu\\programs\\startup\\adobe_sl.exe;80 Temp\\Updatasched\.exe;80 \\adobere\.exe;80 # Mandiant APT - SHELLDC.DLL (BACKDOOR) \\Temp\\svchost\.exe;80 \\shelldc\.dll;80 \\recyle64\.dll;80 \\ws_18\.dll;80 # Mandiant APT - LIGHTDART (FAMILY) \\ret\.log;55 \\qy\.htm;55 \\shsat\.exe;70 \\imxgy\.exe;70 # Suspicious RAR File Names \\1\.rar;50 \\a\.rar;50 \\abc\.rar;50 # Kaspersky Carbanak APT Malware Hash http://goo.gl/0Nhax2 \\System32\\com\\svchost\.exe;80 \\ProgramData\\mozilla\\[^\\"]+\.bin;80 \\(Windows|WinXP)\\paexec;80 SysWOW64\\com\\svchost\.exe;80 # Equation Group Malware http://goo.gl/d5ujEH ystem32\\ee\.dll;80 # Equation Related File Name http://pastebin.com/QvZNtuQW ystem32\\msregstr\.exe;80 ystem32\\khlp894u\.dll;80 \\__c__\.lnk;80 temp\\msupdate\.exe;80 \\fanny\.bmp;80 WINDOWS\\mlan\.exe;80 Windows\\mlan\.exe;80 # Former Suspicious File Signatures ########################################### # They get a lower score by default # ThreatExpert Statistics \\winsvc\.exe$;45 \\blaah\.exe;45 \\ldr\.exe$;45 \\t\.exe$;45 \\user0\.exe;45 \\mxplay_installer\.exe;45 \\pak\-[0-9]{3,}.exe$;45 \\rundll\.exe$;45 \\windowsservice\\starter\.exe$;45 \\wrar[0-9a-z]+\\.exe$;45 \\av[0-9]+\.exe$;45 \\eixplorer\.exe;45 \\win\.exe$;45 \\cleanup\.exe$;45 \\winsystem\.exe;45 Fonts\\[\w]+\.exe$;45 \\(temp|tmp)\\server\.exe;45 \\interxpoler\.exe;45 \\networkservice\.exe;45 \\favorites\.exe;45 \\microsoft\.exe$;45 \\adobe\.exe$;45 \\cncdown\.exe$;45 \\ntcom\.dll$;45 \\nthead\.dll$;45 \\services32\.exe;45 \\recycled\.exe;45 \\sofware.exe;45 \\explorer[0-9]\.exe;45 \\criptor\.exe;45 \\crypt3r\.exe;45 \\temp\\copy\.exe;45 \\cuda\.exe;45 # Typical Malware Name [\s]{7,}\.(exe|com|dll|bat|scr|vbs);45 \\[0-9]\.(exe|dll)$;45 \\[a-zA-Z]\.exe$;45 \.(doc|docx|pdf|txt)\.(exe|bat|com|scr|vbs)$;45 \\\.tmp$;45 (temp|tmp)\\[a-z]\.(zip|exe|txt)$;45 (temp|tmp)\\[a-z]\.rar;45 \\32\.exe;45 \\64\.exe;45 \\d\.exe;45 \\s\.exe;45 \\ss\.exe;45 \\sss\.exe;45 # Malware locations AppData\\[\w]+\.exe;45 [Tt]emp\\[\w]{1,2}\.(exe|com|scr);45 [Cc]:\\[\w]{1,2}\.(exe|com|scr);45 # Symantec Waterbug Attack http://goo.gl/9Tlk90 \\tcpdump32c\.exe;45 \\typecli\.exe;45 \\msc32\.exe;45 \\dxsnd32x\.exe;45 \\msnetsrv\.exe;45 \\mswme32\.exe;45 \\msnetserv\.exe;45 \\msnet32\.exe;45 \\rpcsrv\.exe;45 \\charmap32\.exe;45 \\mqsvc32\.exe;45 \\msrss\.exe;45 \\dc1\.exe;45 \\svcmgr\.exe;45 \\msx32\.exe;45 \.XOR$;45 # Suspected Anthem Deep Panda APT \\lot1\.tmp;45 # Trojan Characteristics \\EXPL0RER\.exe;55 \\srv32\.exe;55 \\csrnss\.exe;55 \\0\.exe;55 \\ntldm\.exe;55 \\xxxc\.bat;55 \\winkept\.exe;55 Temp\\iexplore\.exe;55 \\hidserv\.exe;55 [Cc]:\\Inetpub\.lnk;55 \\zggjmyd\.exe;55 ystem32\\2bed\.exe;55 360\\sendlog\.txt;55 Windows\\[0-9a-z]+.flv;55 ystem32\\[0-9a-z]+.flv;55 \\downloaded[0-9]+\.exe;55 \\New\sFolder[^\\]+\.exe;55 \\myloveever\.exe;55 \\killer\.exe;55 \\mspool\.DLL;55 \\superproxy\.exe;55 \\zoufoo\.exe;55 \\omesuperv\.exe;50 ystem32\\dpisca\.exe;45 ystem32\\razorp\.exe;45 \\aaaaaaaa\.exe;55 \\d1\.tmp\.dll;55 \\fotos\.exe;55 \\new\.exe;60 \\movie\.exe;60 \\files\.exe;55 \\fun\.exe;60 \\freepdf\.exe;60 \\iexplorei\.exe;80 \\imagens\.exe;60 \\lost\.dir\.exe;70 \\new_folder\.exe;70 \\picture\.exe;65 \\play me\.exe;65 \\ppts\.exe;65 \\recycler\.exe;65 \\share_apps\.exe;65 [^s]\\video\.exe;65 \\whatsapp\.exe;55;(\\WhatsApp|\\Prefetch\\|\\(Packages|WindowsApps)\\.{8}\.WhatsAppDesktop) \\xx\.exe;65 \\keygen1\.exe;65 \\meta\.exe;50 \\tmp\.exe;60;(?i)\\AppData\\Local\\Temp\\App[a-z0-9]{4}\.tmp\.exe \\userfiles\.exe;65 \\nuevo\.exe;65 \\_thumbs\.exe;65 \\music\.exe;65 \\picture\.exe;65 \\music\.exe;65 \\movie\.exe;65 \\skypee\.exe;65 # Rombertik / CarbonGrabber http://goo.gl/SGcS2H \\fgf\.vbs;65 \\rsr\\yfoye\.bat;75 \\rsr\\yfoye\.exe;75 # Mimikatz Output \.kirbi$;70 # Kraken / Laziok Bot https://goo.gl/5jvv9q System\\Oracle\\smss\.exe;80 # CryptoWall http://goo.gl/psjCCc \\HELP_DECRYPT\.URL;60 # Hawkeye Keylogger https://goo.gl/th5q2v \\HawkEye_Keylogger_;70 # Kaspersky RAT Report https://goo.gl/th5q2v \\AppData\\Roaming\\Microsoft\\[^\\"]{1,32}\.(exe|doc|zip);50 \\AudioEndpointBuilder\.exe;60 \\BrokerInfrastructure\.exe;60 \\WindowsUpdate\.exe;50 # APT28 https://goo.gl/6Xiayq Microsoft\\MediaPlayer\\updatewindws\.exe;100 \\updatewindws\.exe;70 \\netui\.dll;50 \\edg6EF885E2\.tmp;60 \\AppData\\Local\\conhost\.dll;70 \\Application Data\\conhost\.dll;70 \\Application Data\\svchost\.exe;70 \\Application Data\\conhost\.dll;70 \\AppData\\Local\\svchost\.exe;70 \\AppData\\Local\\conhost\.dll;70 # Fidelis Threat Advisory http://goo.gl/ZjJyti \\9i86vdi3l1zi1v\\;60 \\cvaniocol\.cmd;60 \\flrsqgyy\.DVZ;60 \\ibdyambl\.vbs;60 \\ouhlolswfixh$;60 \\slie\.RJD$;60 \\znimialt\.exe;60 (Temp|Tmp|TEMP)\\cedt370r\(3\)\.exe;60 (Temp|Tmp|TEMP)\\penguin\.exe;60 \\Microsoft\\Windows\\hknswc\.exe;60 \\Microsoft\\Windows\\AppMgnt\.exe;60 \\FILE_127\.127\.ppt;60 \\FILE_127\.127\.ppsx;60 (Temp|Tmp|TEMP)\\destsx\.inf;50 (Temp|Tmp|TEMP)\\Alsa\\doub\.tmp;60 (Temp|Tmp|TEMP)\\muysf\\ipbuy.exe;70 \\Order Details\.xls\.pps;60 # Sofacy - Malware http://goo.gl/OtmPzq \\svchost\.exe\.exe;70 # Winexesvc - Remote Execution Service - often used by Pentesters and Hackers Windows\\winexesvc\.exe;70 # Wild Neutron File Names https://goo.gl/Qew6dT AppData\\Roaming\\FlashUtil\.exe;60 AppData\\Roaming\\Acer\\LiveUpdater\.exe;60 AppData\\Roaming\\Realtek\\RtlUpd\.exe;60 ProgramData\\Realtek\\RtlUpd\.exe;60 AppData\\Roaming\\sqlite3\.dll;60 Windows\\winsession\.dll;60 AppData\\appdata\\local\\temp\\teamviewer\\version9\\update\.exe;60 Windows\\temp\\_dbg\.tmp;60 Windows\\temp\\ok\.tmp;60 indows\\temp\\debug\.txt;60 indows\\syswow64\\mshtaex\.exe;60 \\System32\\mshtaex\.exe;60 \\System32\\wdigestEx\.dll;60 \\System32\\dpcore16t\.dll;60 \\System32\\iastor32\.exe;60 \\System32\\mspool\.dll;60 \\System32\\msvcse\.exe;60 \\System32\\mspool\.exe;60 C:\\Program Files (x86)\\LNVSuite\\LnrAuth\.dll;60 C:\\Program Files (x86)\\LNVSuite\\LnrAuthSvc\.dll;60 C:\\Program Files (x86)\\LNVSuite\\LnrUpdt\.exe;60 C:\\Program Files (x86)\\LNVSuite\\LnrUpdtP\.exe;60 # F-Secure Wonknu APT Backdoor:W32/Wonknu.A https://goo.gl/JjVikT \\programdata\\kav\.exe;85 \\Java_Down\.exe;80 # Phishing Wave Dez 2015 \\p0o6543f\.exe;85 # Sofacy group report Dec 2015 - https://goo.gl/WSvEM8 AppData\\Local\\Microsoft\\Windows\\msdeltemp\.dll;80 \\msdeltemp\.dll;50 \\tf394kv\.dll;75 AppData\\dllhost\.exe;80 AppData\\sechost\.exe;80 Temp\\dllhost\.exe;80 Temp\\sechost\.exe;80 AppData\\chkdbg.log;60 AppData\\svchost\.exe;80 AppData\\conhost\.dll;80 Temp\\conhost\.dll;80 # FireEye Report admin@338 https://goo.gl/JAlw3s \\upload\.rar;70 # Microsoft Intelligence Report http://goo.gl/jcS0lO \\SupUpNvidia\.exe;80 \\svchosl\.exe;80 \\svehost\.exe;80 \\run_x64\.exe;55 \\run_x86\.exe;55 \\advstorshell\.exe;65 \\runrun\.exe;60 \\MicrosoftSup\.dll;70 # Inocnation Report - Fidelis Cybersecurity https://goo.gl/HA82xf Temp\\Center[0-9]{6,11}\.dat;65 AppData\\adobe\\adobe\.dat;65 # Hexacorn Blog Entry - Homomorphic abuse http://goo.gl/1UGJVn \\5hrome\.exe;45 \\a_chrome\.exe;45 \\cchrome\.exe;45 \\chorom\.exe;45 \\chr0me\.exe;45 \\chro2me\.exe;45 \\chrom\.exe;45 \\-chrome\.exe;45 \\chrome1\.exe;45 \\chrome10\.exe;45 \\chrome3\.exe;45 \\chrome32\.exe;45 \\chrome9\.exe;45 \\chromede\.exe;45 \\chromee\.exe;45 \\chromeez\.exe;45 \\chromei\.exe;45 \\chromes\.exe;45 \\chromix\.exe;45 \\chromme\.exe;45 \\chrommm\.exe;45 \\chromre\.exe;45 \\chromse\.exe;45 \\chromyy\.exe;45 \\chroom\.exe;45 \\chroome\.exe;45 \\chroum\.exe;45 \\crhome\.exe;45 \\nichrome\.exe;45 \\_cerss\.exe;45 \\_csrss\.exe;45 \\carss\.exe;45 \\ccrs\.exe;45 \\cress\.exe;45 \\crrss\.exe;45 \\crss\.exe;45 \\crsss\.exe;45 \\csrcs\.exe;45 \\csres\.exe;45 \\csriss\.exe;45 \\csrlt\.exe;45 \\csrms\.exe;45 \\csrmss\.exe;45 \\csrrss\.exe;45 \\csrs\.exe;45 \\csrsc\.exe;45 \\csrse\.exe;45 \\csrsess\.exe;45 \\csrsk\.exe;45 \\csrsl\.exe;45 \\csrsrv\.exe;45 \\csrss_1\.exe;45 \\csrss_2\.exe;45 \\csrss_8\.exe;45 \\csrss_9\.exe;45 \\csrss32\.exe;45 \\csrssa\.exe;45 \\csrssc\.exe;45 \\csrsses\.exe;45 \\csrssr\.exe;45 \\csrsss\.exe;45 \\csrssw\.exe;45 \\csrssys\.exe;45 \\csrst\.exe;45 \\csrsvc\.exe;45 \\csrsvr\.exe;45 \\csrsx\.exe;45 \\csrtss\.exe;45 \\csrus\.exe;45 \\csrvs\.exe;45 \\cssrs\.exe;45 \\cssrsa\.exe;45 \\cssrsr\.exe;45 \\cssrss\.exe;45 \\cvrss\.exe;45 \\scrss\.exe;45 \\0iexplorer\.exe;45 \\12iexplore\.exe;45 \\2ciexplore\.exe;45 \\2fexplorer\.exe;45 \\5explore\.exe;45 \\5xplorer\.exe;45 \\_iexplors\.exe;45 \\dexplorer\.exe;45 \\dxplore\.exe;45 \\e1xplorer\.exe;45 \\eexplorer\.exe;45 \\eexxplorer\.exe;45 \\eksplorer\.exe;45 \\ep1orer\.exe;45 \\esplorer\.exe;45 \\exeplorer\.exe;45 \\exlorer\.exe;45 \\exoplorer\.exe;45 \\exp10rer\.exe;45 \\exp1or\.exe;45 \\exp1ore\.exe;45 \\exp1orer\.exe;45 \\exp1ror\.exe;45 \\exp20re\.exe;45 \\expiorer\.exe;45 \\expioror\.exe;45 \\expl0rer\.exe;45 \\explarar\.exe;45 \\explarer\.exe;45 \\expleror\.exe;45 \\exploe\.exe;45 \\exploer\.exe;45 \\exploere\.exe;45 \\exploerer\.exe;45 \\exploiter\.exe;45 \\exploner\.exe;45 \\explope\.exe;45 \\explor\.exe;45 \\explora\.exe;45 \\explore\.exe;45 \\explored\.exe;45 \\exploree\.exe;45 \\exploreee\.exe;45 \\exploreff\.exe;45 \\explorei\.exe;45 \\explorep\.exe;45 \\explorer1\.exe;45 \\explorer32\.exe;45 \\explorer64\.exe;45 \\explorer66\.exe;45 \\explorer_\.exe;45 \\explorere\.exe;45 \\explorerf\.exe;45 \\explorerr\.exe;45 \\explorerrr\.exe;45 \\explorers\.exe;45 \\explorerv\.exe;45 \\explorerxx\.exe;45 \\explorerz\.exe;45 \\explores\.exe;45 \\exploret\.exe;45 \\explorew\.exe;45 \\exploror\.exe;45 \\explorr\.exe;45 \\explorre\.exe;45 \\explorrer\.exe;45 \\explorxp\.exe;45 \\explre3r\.exe;45 \\explrer\.exe;45 \\explroer\.exe;45 \\expoler\.exe;45 \\expolorer\.exe;45 \\exporer\.exe;45 \\exprer\.exe;45 \\exprlore\.exe;45 \\exproler\.exe;45 \\exqlorer\.exe;45 \\exsplorer\.exe;45 \\exxplorer\.exe;45 \\ieioplore\.exe;45 \\ieplore\.exe;45 \\ieplorer\.exe;45 \\iexeplore\.exe;45 \\iexlorer\.exe;45 \\iexlplore\.exe;45 \\iexp1ore\.exe;45 \\iexp1orer\.exe;45 \\iexpiore\.exe;45 \\iexpl0ra\.exe;45 \\iexpl0re\.exe;45 \\iexplare\.exe;45 \\iexplarer\.exe;45 \\iexplere\.exe;45 \\iexpllzore\.exe;45 \\iexplo\.exe;45 \\iexploer\.exe;45 \\iexploore\.exe;45 \\iexplope\.exe;45 \\iexplor\.exe;45 \\iexplore32\.exe;45 \\iexplorea\.exe;45 \\iexplorei\.exe;45 \\iexplorer\.exe;45 \\iexplorer0\.exe;45 \\iexplorer2\.exe;45 \\iexplorer7\.exe;45 \\iexplorers\.exe;45 \\iexplores\.exe;45 \\iexploresx\.exe;45 \\iexploror\.exe;45 \\iexplorrer\.exe;45 \\iexplors\.exe;45 \\iexplory\.exe;45 \\iexplorz\.exe;45 \\iexpore\.exe;45 \\iiexplore\.exe;45 \\iiexplorer\.exe;45 \\inexplore\.exe;45 \\inexplorer\.exe;45 \\intexplore\.exe;45 \\ixplorer\.exe;45 \\lexpiore\.exe;45 \\lexpl1re\.exe;45 \\lexpl2re\.exe;45 \\lexpl3re\.exe;45 \\lexpl4re\.exe;45 \\lexpl5re\.exe;45 \\lexpl6re\.exe;45 \\lexpl7re\.exe;45 \\lexpl8re\.exe;45 \\lexpl9re\.exe;45 \\lexplare\.exe;45 \\lexplbre\.exe;45 \\lexplcre\.exe;45 \\lexpldre\.exe;45 \\lexplere\.exe;45 \\lexplfre\.exe;45 \\lexplgre\.exe;45 \\lexplhre\.exe;45 \\lexplire\.exe;45 \\lexpljre\.exe;45 \\lexplkre\.exe;45 \\lexpllre\.exe;45 \\lexplmre\.exe;45 \\lexplnre\.exe;45 \\lexplore\.exe;45 \\lexplore_\.exe;45 \\lexplorer\.exe;45 \\lexplors\.exe;45 \\lexplpre\.exe;45 \\lexplqre\.exe;45 \\lexplrre\.exe;45 \\lexplsre\.exe;45 \\lexpltre\.exe;45 \\lexplure\.exe;45 \\lexplvre\.exe;45 \\lexplwre\.exe;45 \\lexplxre\.exe;45 \\lexplyre\.exe;45 \\lexplzre\.exe;45 \\msexplorer\.exe;45 \\netplore\.exe;45 \\plorer\.exe;45 \\vbexplorer\.exe;45 \\wexplorer\.exe;45 \\winexplore\.exe;45 \\xeplorer\.exe;45 \\xplore\.exe;45 \\xplorer\.exe;45 \\yyexplorer\\\.exe;45 \\5cfirefox\.exe;45 \\5irefox\.exe;45 \\f1ref0x\.exe;45 \\fire10fox\.exe;45 \\firef0x\.exe;45 \\firefly\.exe;45 \\firefo\.exe;45 \\firefox2\.exe;45 \\firefox32\.exe;45 \\firefoxe\.exe;45 \\firefoxx\.exe;45 \\firfox\.exe;45 \\irefox\.exe;45 \\refox\.exe;45 \\wireox\.exe;45 \\jav3\.exe;45 \\java32\.exe;45 \\javaa\.exe;45 \\javaaa\.exe;45 \\javaap\.exe;45 \\javacp\.exe;45 \\javag\.exe;45 \\javaii\.exe;45 \\javapw\.exe;45 \\javar\.exe;45 \\javare\.exe;45 \\javas\.exe;45 \\javas5\.exe;45 \\javasc\.exe;45 \\javase\.exe;45 \\javaup\.exe;45 \\javavm\.exe;45 \\javawz\.exe;45 \\javax\.exe;45 \\javo\.exe;45 \\javz\\\.exe;45 \\1sass\.exe;45 \\iass\.exe;45 \\isaas\.exe;45 \\isas\.exe;45 \\isass\.exe;45 \\issass\.exe;45 \\laass\.exe;45 \\lamss\.exe;45 \\larss\.exe;45 \\lass\.exe;45 \\lassa\.exe;45 \\lasse\.exe;45 \\lasss\.exe;45 \\lcass\.exe;45 \\leass\.exe;45 \\lhssass\.exe;45 \\lrass\.exe;45 \\lrsss\.exe;45 \\lsa32\.exe;45 \\lsac\.exe;45 \\lsacs\.exe;45 \\lsaess\.exe;45 \\lsaoss\.exe;45 \\lsas\.exe;45 \\lsasa\.exe;45 \\lsasas\.exe;45 \\lsascs\.exe;45 \\lsase\.exe;45 \\lsasi\.exe;45 \\lsasm\.exe;45 \\lsaso\.exe;45 \\lsasrv\.exe;45 \\lsass3\.exe;45 \\lsass32\.exe;45 \\lsass47\.exe;45 \\lsassi\.exe;45 \\lsassn\.exe;45 \\lsasss\.exe;45 \\lsassv\.exe;45 \\lsassx\.exe;45 \\lsassys\.exe;45 \\lsats\.exe;45 \\lsmass\.exe;45 \\lsrss\.exe;45 \\lssas\.exe;45 \\lssass\.exe;45 \\msass\.exe;45 \\nsrss\.exe;45 \\salss\.exe;45 \\_sachost\.exe;45 \\_svch0st\.exe;45 \\_svchost\.exe;45 \\00svchost\.exe;45 \\0svchost\.exe;45 \\achost\.exe;45 \\chost\.exe;45 \\cvhost\.exe;45 \\cvshost\.exe;45 \\isvchosty\.exe;45 \\lsvchost\.exe;45 \\mscchost\.exe;45 \\msvchost\.exe;45 \\ntsvchost\.exe;45 \\rdchost\.exe;45 \\s_host\.exe;45 \\sach0st\.exe;45 \\sachost\.exe;45 \\sachostc\.exe;45 \\sachostp\.exe;45 \\sachostp\.exe;45 \\sachosts\.exe;45 \\sachosts\.exe;45 \\sachostw\.exe;45 \\sachostw\.exe;45 \\sachostx\.exe;45 \\sathost\.exe;45 \\sbhost\.exe;45 \\scchost\.exe;45 \\scchost\.exe;45 \\scchost2\.exe;45 \\scchostc\.exe;45 \\scchostc\.exe;45 \\scghost\.exe;45 \\schost\.exe;45 \\schost\.exe;45 \\schostc\.exe;45 \\schosts\.exe;45 \\schovst\.exe;45 \\schvost\.exe;45 \\scvchost\.exe;45 \\scvchusts\.exe;45 \\scvh0st\.exe;45 \\scvh0st\.exe;45 \\scvhost\.exe;45 \\scvhost\.exe;45 \\scvhosv\.exe;45 \\scvost\.exe;45 \\scvvhost\.exe;45 \\sdchost\.exe;45 \\sdhost\.exe;45 \\serhost\.exe;45 \\servehost\.exe;45 \\sethost\.exe;45 \\sevchos\.exe;45 \\sevhost\.exe;45 \\shchost\.exe;45 \\shhost\.exe;45 \\shost\.exe;45 \\shvchost\.exe;45 \\shvhost\.exe;45 \\sichost\.exe;45 \\slchost\.exe;45 \\slihost\.exe;45 \\snahost\.exe;45 \\snhost\.exe;45 \\snphost\.exe;45 \\snvhost\.exe;45 \\sochost\.exe;45 \\sochvst\.exe;45 \\soohost\.exe;45 \\spchost\.exe;45 \\sqlhost\.exe;45 \\srchost\.exe;45 \\srshost\.exe;45 \\srvchost\.exe;45 \\srvchost\.exe;45 \\srvhost\.exe;45 \\sschost\.exe;45 \\sshost\.exe;45 \\ssvch0st\.exe;45 \\ssvchost\.exe;45 \\ssvchost\.exe;45 \\ssvichosst\.exe;45 \\st#host\.exe;45 \\stdhost\.exe;45 \\suchost\.exe;45 \\suchost\.exe;45 \\suchostp\.exe;45 \\suchostp\.exe;45 \\suchosts\.exe;45 \\suchosts\.exe;45 \\sv_host\.exe;45 \\sv±hest\.exe;45 \\sv0hoat\.exe;45 \\sv1host\.exe;45 \\svahost\.exe;45 \\svahost\.exe;45 \\svcbost\.exe;45 \\svcchost\.exe;45 \\svcchost\.exe;45 \\svcehost\.exe;45 \\svcehost\.exe;45 \\svcgest\.exe;45 \\svcgh0st\.exe;45 \\svcgoost\.exe;45 \\svch0sat\.exe;45 \\svch0sbt\.exe;45 \\svch0set\.exe;45 \\svch0sft\.exe;45 \\svch0slt\.exe;45 \\svch0smt\.exe;45 \\svch0st\.exe;45 \\svch0st\.exe;45 \\svch0st_\.exe;45 \\svch0sts\.exe;45 \\svch7t\.exe;45 \\svchaot\.exe;45 \\svchast\.exe;45 \\svchast\.exe;45 \\svchcst\.exe;45 \\svchcst\.exe;45 \\svchest\.exe;45 \\svchest\.exe;45 \\svchhost\.exe;45 \\svchîst\.exe;45 \\svchkost\.exe;45 \\svcho\.exe;45 \\svchobst\.exe;45 \\svchoct\.exe;45 \\svcholts\.exe;45 \\svchon32\.exe;45 \\svchoost\.exe;45 \\svchoot\.exe;45 \\svchort\.exe;45 \\svchos\.exe;45 \\svchos12\.exe;45 \\svchosd\.exe;45 \\svchosf\.exe;45 \\svchosf\.exe;45 \\svchosi\.exe;45 \\svchosl\.exe;45 \\svchoso\.exe;45 \\svchosr\.exe;45 \\svchoss\.exe;45 \\svchosst\.exe;45 \\svchöst\.exe;45 \\svchost_\.exe;45 \\svchost_cz\.exe;45 \\svchost”\.exe;45 \\svchost0\.exe;45 \\svchost1\.exe;45 \\svchost10\.exe;45 \\svchost16\.exe;45 \\svchost2\.exe;45 \\svchost2\.exe;45 \\svchost3\.exe;45 \\svchost3\.exe;45 \\svchost31\.exe;45 \\svchost32\.exe;45 \\svchost32\.exe;45 \\svchost4\.exe;45 \\svchost5\.exe;45 \\svchost6\.exe;45 \\svchost64\.exe;45 \\svchost64\.exe;45 \\svchosta\.exe;45 \\svchostbb\.exe;45 \\svchostbd\.exe;45 \\svchostbn\.exe;45 \\svchostc\.exe;45 \\svchostc32\.exe;45 \\svchostcx\.exe;45 \\svchostd\.exe;45 \\svchostdll\.exe;45 \\svchoste\.exe;45 \\svchosted\.exe;45 \\svchosti\.exe;45 \\svchosting\.exe;45 \\svchostit\.exe;45 \\svchostl\.exe;45 \\svchostms\.exe;45 \\svchosto\.exe;45 \\svchostr\.exe;45 \\svchostre\.exe;45 \\svchosts\.exe;45 \\svchosts\.exe;45 \\svchosts32\.exe;45 \\svchostsr\.exe;45 \\svchostss\.exe;45 \\svchostt\.exe;45 \\svchostt\.exe;45 \\svchostþ\.exe;45 \\svchostun\.exe;45 \\svchostv\.exe;45 \\svchostv\.exe;45 \\svchostxi\.exe;45 \\svchostxi\.exe;45 \\svchostxxx\.exe;45 \\svchostz\.exe;45 \\svchosv\.exe;45 \\svchosy\.exe;45 \\svchot\.exe;45 \\svchoto\.exe;45 \\svchott\.exe;45 \\svchowb\.exe;45 \\svchowt\.exe;45 \\svchoxt\.exe;45 \\svchoxt\.exe;45 \\svchpst\.exe;45 \\svchpst\.exe;45 \\svchqs\.exe;45 \\svchqst\.exe;45 \\svchs0t\.exe;45 \\svchsot\.exe;45 \\svchsot\.exe;45 \\svchsst\.exe;45 \\svchssts\.exe;45 \\svchst\.exe;45 \\svchste\.exe;45 \\svchsts\.exe;45 \\svchtst\.exe;45 \\svchust\.exe;45 \\svchusts\.exe;45 \\svcinit\.exe;45 \\svcjhost\.exe;45 \\svclost\.exe;45 \\svcmost\.exe;45 \\svcnost\.exe;45 \\svcnost\.exe;45 \\svcohst\.exe;45 \\svcomst\.exe;45 \\svcoost\.exe;45 \\svcost\.exe;45 \\svcpos\.exe;45 \\svcroot\.exe;45 \\svcroot\.exe;45 \\svcshtost\.exe;45 \\svcsoft\.exe;45 \\svcsost\.exe;45 \\svcst\.exe;45 \\svctos\.exe;45 \\svcxhost\.exe;45 \\svdhost\.exe;45 \\svdhost\.exe;45 \\svdnost\.exe;45 \\svehost\.exe;45 \\svehost\.exe;45 \\svgchost\.exe;45 \\svggost\.exe;45 \\svghost\.exe;45 \\svghost\.exe;45 \\svghosts\.exe;45 \\svh0st\.exe;45 \\svhcost\.exe;45 \\svhest\.exe;45 \\svhoct\.exe;45 \\svhosit\.exe;45 \\svhosr\.exe;45 \\svhosst\.exe;45 \\svhost\.exe;45 \\svhost\.exe;45 \\svhost1\.exe;45 \\svhost2\.exe;45 \\svhostc\.exe;45 \\svhoste\.exe;45 \\svhostr\.exe;45 \\svhosts\.exe;45 \\svhostt\.exe;45 \\svhostu\.exe;45 \\svhot\.exe;45 \\svhst\.exe;45 \\svhust\.exe;45 \\svichosst\.exe;45 \\svichost\.exe;45 \\svlhost\.exe;45 \\svnchost\.exe;45 \\svnhost\.exe;45 \\svohcst\.exe;45 \\svohcst\.exe;45 \\svohost\.exe;45 \\svohost\.exe;45 \\svohst\.exe;45 \\svost\.exe;45 \\svphost\.exe;45 \\svphost\.exe;45 \\svphostu\.exe;45 \\svphostu\.exe;45 \\svrhost\.exe;45 \\svrhost\.exe;45 \\svschost\.exe;45 \\svschost\.exe;45 \\svschosta\.exe;45 \\svsh0st\.exe;45 \\svsh0st\.exe;45 \\svshoct\.exe;45 \\svshost\.exe;45 \\svshosti\.exe;45 \\svshosts\.exe;45 \\svshot\.exe;45 \\svuhost\.exe;45 \\svvchcst\.exe;45 \\svvchost\.exe;45 \\svvghost\.exe;45 \\svvhost\.exe;45 \\svvhost\.exe;45 \\svvhosti\.exe;45 \\svwhost\.exe;45 \\svxhos\.exe;45 \\svxhost\.exe;45 \\swchost\.exe;45 \\swchost\.exe;45 \\swdhost\.exe;45 \\swhost\.exe;45 \\swhost\.exe;45 \\sxhost\.exe;45 \\sxhost\.exe;45 \\sychost\.exe;45 \\synhost\.exe;45 \\syschost\.exe;45 \\syschost\.exe;45 \\syshost\.exe;45 \\syshost\.exe;45 \\szchostc\.exe;45 \\szchostc\.exe;45 \\tsvchost\.exe;45 \\usvchost\.exe;45 \\uvchost\.exe;45 \\vcchost\.exe;45 \\vchost\.exe;45 \\vhchost\.exe;45 \\vhost\.exe;45 \\vschost\.exe;45 \\vsschost\.exe;45 \\vxhost\.exe;45 \\wsvchost\.exe;45 \\wvchosd\.exe;45 \\xvshost\.exe;45 \\zvchost\.exe;45 \\mswin\.exe;45 \\win_\.exe;45 \\win_5\.exe;45 \\win00\.exe;45 \\win01\.exe;45 \\win07\.exe;45 \\win08\.exe;45 \\win09\.exe;45 \\win1\.exe;45 \\win10\.exe;45 \\win11\.exe;45 \\win16\.exe;45 \\win2\.exe;45 \\win22\.exe;45 \\win23\.exe;45 \\win3\.exe;45 \\win30\.exe;45 \\win32\.exe;45 \\win39\.exe;45 \\win4\.exe;45 \\win42\.exe;45 \\win44\.exe;45 \\win45\.exe;45 \\win5\.exe;45 \\win54\.exe;45 \\win55\.exe;45 \\win62\.exe;45 \\win64\.exe;45 \\win7\.exe;45 \\win76\.exe;45 \\win77\.exe;45 \\win8\.exe;45 \\win91\.exe;45 \\win96\.exe;45 \\win98\.exe;45 \\win9x\.exe;45 \\wina\.exe;45 \\winad\.exe;45 \\winar\.exe;45 \\winav\.exe;45 \\winb\.exe;45 \\winc\.exe;45 \\wince\.exe;45 \\wind3\.exe;45 \\windf\.exe;45 \\windm\.exe;45 \\winds\.exe;45 \\wine\.exe;45 \\winet\.exe;45 \\winex\.exe;45 \\winfc\.exe;45 \\wingb\.exe;45 \\wings\.exe;45 \\wingt\.exe;45 \\winhd\.exe;45 \\winhv\.exe;45 \\wini\.exe;45 \\winit\.exe;45 \\wink\.exe;45 \\winkl\.exe;45 \\winl\.exe;45 \\winlc\.exe;45 \\winma\.exe;45 \\winmm\.exe;45 \\winmn\.exe;45 \\winmx\.exe;45 \\winn\.exe;45 \\winn1\.exe;45 \\winns\.exe;45 \\winnt\.exe;45 \\winny\.exe;45 \\winog\.exe;45 \\winok\.exe;45 \\winos\.exe;45 \\winow\.exe;45 \\winp9\.exe;45 \\winpc\.exe;45 \\winr\.exe;45 \\winra\.exe;45 \\winrm\.exe;45 \\winrr\.exe;45 \\wins7\.exe;45 \\winsh\.exe;45 \\winsp\.exe;45 \\winss\.exe;45 \\winst\.exe;45 \\wint\.exe;45 \\winu\.exe;45 \\winud\.exe;45 \\winup\.exe;45 \\winvc\.exe;45 \\winvr\.exe;45 \\winw\.exe;45 \\winwl\.exe;45 \\winwn\.exe;45 \\winws\.exe;45 \\winx\.exe;45 \\winxp\.exe;45 \\winxv\.exe;45 \\winz\\\.exe;45 \\_winlogon\.exe;45 \\inlogon\.exe;45 \\nlogon\.exe;45 \\wgalogon\.exe;45 \\wimlogom\.exe;45 \\win_logn\.exe;45 \\win1ogo\.exe;45 \\win1ogon\.exe;45 \\win1ogons\.exe;45 \\windlogon\.exe;45 \\winiogon\.exe;45 \\winl0g0n\.exe;45 \\winl0gin\.exe;45 \\winlgon\.exe;45 \\winligon\.exe;45 \\winlngon\.exe;45 \\winlog\.exe;45 \\winlog056\.exe;45 \\winlog0n\.exe;45 \\winlog1\.exe;45 \\winlogan\.exe;45 \\winloge\.exe;45 \\winlogen\.exe;45 \\winloger\.exe;45 \\winlogin\.exe;45 \\winlogins\.exe;45 \\winlogn\.exe;45 \\winlogo\.exe;45 \\winlogom\.exe;45 \\winlogoms\.exe;45 \\winlogon1\.exe;45 \\winlogon3\.exe;45 \\winlogon32\.exe;45 \\winlogon6\.exe;45 \\winlogon86\.exe;45 \\winlogone\.exe;45 \\winlogonl\.exe;45 \\winlogonn\.exe;45 \\winlogonpc\.exe;45 \\winlogonr\.exe;45 \\winlogons\.exe;45 \\winlogor\.exe;45 \\winlogr\.exe;45 \\winlogs\.exe;45 \\winlogun\.exe;45 \\winlongon\.exe;45 \\winlugan\.exe;45 \\winslogin\.exe;45 \\wnilogon\.exe;45 \\wnlgon\.exe;45 \\wnlogin\.exe;45 # Typical Malware Names \\ex[p]?[l1]orer[a-z0-9]{1,3}\.exe;60 \\ex[p]?[^l]orer;60 \\ex[p]?l[^o]rer;60 \\iexp[1l]ore[a-z0-9]{1,3}\.exe;60 \\iexp[^l]ore;60 \\iexpl[^o]re;60 \\l[^s]?ass\.exe;55 \\lsa[^s]?s\.exe;55 \\l[s]?ass[a-z0-9]\.exe;65 \\sv[^c]host\.exe;55 \\svch[^o]st\.exe;45 \\svc[a-z]host\.exe;45 \\svch0s;60 \\svchost[a-z0-9]{1,3}\.exe;55 \\win[0-9_]{0,3}\.exe;55 \\win1ogo;45 \\win[^l]ogon\.exe;55 \\winl[^o]gon\.exe;55 \\winlog[^o]n\.exe;55 \\winlogon[0-9_a-z]{1,3}\.exe;55 # FireEye Irongate \\bla\.exe;80 \\update_no_pipe\.exe;80 \\scada\.exe;50 \\Step7ConMgr\.dll;70 \\scomma scxrt2\.ini;80 \\scxrt2\.ini;80 # Sofacy APT http://goo.gl/YXb8ZX [Cc]:\\ProgramData\\iprpp\.dll;100 AppData\\Roaming\\amdcache\.dll;100 # Sofacy APT http://goo.gl/mzAa97 AppData\\Roaming\\btecache\.dll;90 # Many malware samples - including StarCruft \\scvhosts\.exe;70 # Kaspersky Report https://goo.gl/iWUz63 \\[Ss]ystem32\\scclient\.exe;80 # Suspicious Location [Cc]:\\[Ww]indows\\[Ss]ecurity\\[A-Za-z0-9]{1,10}\.(exe|dll);80 # Skeleton Key https://goo.gl/sc6Lqq \\msuta64\.dll;80 \\ole64\.dll;80 \\olex64\.dll;80 \\HookDC\.dll;80 \\HookDC64\.dll;80 # Project Sauron https://goo.gl/eFoP4A \\Temp\\kavupdate\.exe;80 \\Temp\\kvupd\.exe;80 \\Temp\\klnupd\.exe;80 \\[Ss]ystem32\\rpchlpr\.exe;80 \\[Ss]ystem32\\symnet32\.dll;80 \\[Ss]ystem32\\rdiskman\.dll;80 \\[Ss]ystem32\\rseceng\.dll;80 \\[Ss]ystem32\\msprtssp\.dll;80 \\[Ss]ystem32\\ncompc\.dll;80 \\[Ss]ystem32\\rdeskm\.dll;80 \\[Ss]ystem32\\dpsf\.dll;80 \\[Ss]ystem32\\nsecf\.dll;80 \\[Ss]ystem32\\rdesk\.dll;80 \\[Ss]ystem32\\dpsloc\.dll;80 \\[Ss]ystem32\\ddeskm\.dll;80 \\[Ss]ystem32\\rdisksup\.dll;80 \\[Ss]ystem32\\rcompf\.dll;80 \\[Ss]ystem32\\ncompsup\.dll;80 \\[Ss]ystem32\\rdiskf\.dll;80 \\[Ss]ystem32\\iseceng\.dll;80 \\[Ss]ystem32\\msasspc\.dll;80 \\[Ss]ystem32\\wpsloc\.dll;80 \\[Ss]ystem32\\wpackpwf\.dll;80 \\[Ss]ystem32\\rcnfm\.dll;80 \\[Ss]ystem32\\hptcpprnt\.dll;80 \\[Ss]ystem32\\rdeskf\.dll;80 \\[Ss]ystem32\\ncnfloc\.dll;80 \\[Ss]ystem32\\msaosspc\.dll;80 \\[Ss]ystem32\\ndiskloc\.dll;80 \\[Ss]ystem32\\mperfcl\.dll;80 \\[Ss]ystem32\\polsec\.dll;80 \\[Ss]ystem32\\sxsmgrkbd\.dll;80 \\[Ss]ystem32\\cfgbaseprt\.dll;80 \\[Ss]ystem32\\seccertapi\.dll;80 \\[Ss]ystem32\\krbsec\.dll;80 \\[Ss]ystem32\\prnpapi\.dll;80 \\[Ss]ystem32\\ndisk\.dll;80 \\[Ss]ystem32\\ndisksup\.dll;80 \\[Ss]ystem32\\rdiskloc\.dll;80 \\[Ss]ystem32\\pngmon\.dll;80 \\[Ss]ystem32\\kavsec64\.dll;80 \\[Ss]ystem32\\wlseccomm\.dll;80 \\[Ss]ystem32\\rcnfsys\.dll;80 \\[Ss]ystem32\\wpackshim\.dll;80 \\[Ss]ystem32\\ncnfsys\.dll;80 \\[Ss]ystem32\\sxsapifeed\.dll;80 \\[Ss]ystem32\\wmupdsvc\.dll;80 \\[Ss]ystem32\\dpsf\.dll;80 \\[Ss]ystem32\\compc\.dll;80 \\[Ss]ystem32\\rdiskf\.dll;80 \\[Ss]ystem32\\compman\.dll;80 \\[Ss]ystem32\\cnfsys\.dll;80 \\[Ss]ystem32\\isecf\.dll;80 \\[Ss]ystem32\\klsec\.dll;80 \\[Ss]ystem32\\nagent\.exe;80 \\[Ss]ystem32\\rpsf\.dll;80 \\[Ss]ystem32\\tv_prntx64\.dll;80 \\[Ss]ystem32\\wdesksys\.dll;80 \\[Ss]ystem32\\dsecc\.dll;80 \\[Ss]ystem32\\dcompf\.dll;80 \\[Ss]ystem32\\dsecman\.dll;80 \\[Ss]ystem32\\isecc\.dll;80 \\[Ss]ystem32\\rcompc\.dll;80 \\[Ss]ystem32\\rcnfloc\.dll;80 \\[Ss]ystem32\\rdisk\.dll;80 \\[Ss]ystem32\\dcompman\.dll;80 \\[Ss]ystem32\\npsloc\.dll;80 \\[Ss]ystem32\\nsecc\.dll;80 \\[Ss]ystem32\\wcprts32\.dll;80 \\[Ss]ystem32\\rpsloc\.dll;80 \\[Ss]ystem32\\rsecman\.dll;80 \\[Ss]ystem32\\mstimed\.dll;80 \\[Ss]ystem32\\dcompsup\.dll;80 \\[Ss]ystem32\\compsup\.dll;80 \\[Ss]ystem32\\ncompman\.dll;80 \\[Ss]ystem32\\rsecloc\.dll;80 \\[Ss]ystem32\\rdeskman\.dll;80 \\[Ss]ystem32\\mfc64d\.dll;80 \\[Ss]ystem32\\sceclid\.dll;80 \\[Ss]ystem32\\ddesksys\.dll;80 \\[Ss]ystem32\\isecman\.dll;80 \\[Ss]ystem32\\scsvc32\.exe;80 \\[Ss]ystem32\\polcfg\.dll;80 \\[Ss]ystem32\\cnfloc\.dll;80 \\[Ss]ystem32\\nseci\.dll;80 \\[Ss]ystem32\\eapproxycrypt\.dll;80 # Cisco JBoss Webshell Names https://goo.gl/drkm6k - modified list \\AfAMeA1\\index\.jsp;75 \\CluJaNuL\\cmd\.jsp;75 \\CoCkZ\\index\.jsp;75 \\ConsoleHelp\\default\.jsp;75 \\DOGBKuoz\\rMbnbnsH\.jsp;75 \\DonGz\\index\.jsp;75 \\WebServiceImpl\\axis2-web\\index\.jsp;75 \\XSAEjslo\\pHXLDsUP\.jsp;75 \\XimhGLGO\\rjsJKakD\.jsp;75 \\a\\a\.jsp;75 \\a\\pwn\.jsp;75 \\aa\\pwn\.jsp;75 \\admin\\index\.jsp;75 \\admin\\login\.jsp;75 \\ajlobUYO\\fMhYrZgm\.jsp;75 \\amserver\\UI\\Login\.jsp;75 \\apache-tomcat\\index\.jsp;75 \\axis2-web\\index\.jsp;75 \\axis2\\axis2-web\\index\.jsp;75 \\backoffice\\servlet\\AboutDestiny_files\\Login\.jsp;75 \\backoffice\\servlet\\AboutDestiny_files\\admin\\login\.jsp;75 \\backoffice\\servlet\\AboutDestiny_files\\axis2-web\\index\.jsp;75 \\backoffice\\servlet\\AboutDestiny_files\\index\.jsp;75 \\backoffice\\servlet\\Login\.jsp;75 \\backoffice\\servlet\\admin\\login\.jsp;75 \\backoffice\\servlet\\axis2-web\\index\.jsp;75 \\backoffice\\servlet\\index\.jsp;75 \\bb\\update\.jsp;75 \\bharath\\index\.jsp;75 \\brightmail\\index\.jsp;75 \\browser\\Browser\.jsp;75 \\browser\\browser\\browser\.jsp;75 \\browser\\shell\.jsp;75 \\browser[0-9]{2,3}\\browser\.jsp;75 \\bynazi\\cmd\.jsp;75 \\car\\cmdpost\.jsp;75 \\ccc\\index\.jsp;75 \\cgi-bin\\Login\.jsp;75 \\cgi-bin\\admin\\login\.jsp;75 \\cgi-bin\\axis2-web\\index\.jsp;75 \\cgi-bin\\index\.jsp;75 \\cmd[0-9]{,3}\\cmd\.jsp;75 \\cmdcmd\\cmdcmd\.jsp;75 \\cmdjsp\\cmdjsp\.jsp;75 \\coleman\\index\.jsp;75 \\com\\cmd\.jsp;75 \\com\\com\.jsp;75 \\common\\admin\\login\.jsp;75 \\common\\axis2-web\\index\.jsp;75 \\common\\common\.jsp;75 \\common\\reportsystemcondition\.jsp;75 \\common\\servlet\\axis2-web\\index\.jsp;75 \\common\\servlet\\handleedithomeheaderform\.do;75 \\common\\servlet\\handleedithomelinkform\.do;75 \\console\\faces\\jsp\\login\\BeginLogin\.jsp;75 \\console\\jsp_info\.jsp;75 \\console\\login\\LoginForm\.jsp;75 \\cyanhf\\index\.jsp;75 \\d\\index\.jsp;75 \\damao\\index\.jsp;75 \\dbhrathtmp\\index\.jsp;75 \\dbth\\index\.jsp;75 \\deploy\\wGBmaOVe\.war\\GeRRAXwv\.jsp;75 \\deploymentmanager\\index\.jsp;75 \\destiny\\config\.jsp;75 \\destiny\\index\.jsp;75 \\district\\servlet\\Login\.jsp;75 \\district\\servlet\\admin\\login\.jsp;75 \\district\\servlet\\axis2-web\\index\.jsp;75 \\district\\servlet\\index\.jsp;75 \\docs\\funcspecs\\1\.jsp;75 \\docs\\funcspecs\\2\.jsp;75 \\docs\\funcspecs\\3\.jsp;75 \\docs\\funcspecs\\4\.jsp;75 \\docs\\funcspecs\\5\.jsp;75 \\dswsbobje\\axis2-web\\index\.jsp;75 \\dta\\index\.jsp;75 \\e\\e\.jsp;75 \\e\\index\.jsp;75 \\e\\shell\.jsp;75 \\eee\\eee\.jsp;75 \\eg\\smd\.jsp;75 \\egd\\smd\.jsp;75 \\egdus\\smd\.jsp;75 \\eggs\\smd\.jsp;75 \\esc\\esc\\ss\.jsp;75 \\exam\\config\.jsp;75 \\example\\config\.jsp;75 \\example\\index\.jsp;75 \\examples\\jsp\\snp\\snoop\.jsp;75 \\examples\\jsp\\source\.jsp;75 \\foo\.jsp;75;(examples|/demo-base/|test\.war) \\fs\\shell\.jsp;75 \\gU7gIJat\\yTvIbSJs\.jsp;75 \\ggicmp\\ggicmp\.jsp;75 \\ggikarus\\ggikarus\.jsp;75 \\ggikey\\ggikey\.jsp;75 \\gwadmin-console\\login\.jsp;75 \\gzecmd\\zecmd\.jsp;75 \\he\\index\.jsp;75 \\hhh\\hhh\.jsp;75 \\icmp\\icmp\.jsp;75 \\iddqd\\iddqd\.jsp;75 \\idssvc\\idssvc\.jsp;75 \\iesvc\\iesvc\.jsp;75 \\iframeportlet\\iframeportlet\.jsp;75 \\ihijri\\ihijri\.jsp;75 \\ii\\ii\.jsp;75 \\ijtfcengzr\\ijtfcengzr\.jsp;75 \\ikarus\\ikarus\.jsp;75 \\ikgMrKaJ\\ikgMrKaJ\.jsp;75 \\ikguide\\ikguide\.jsp;75 \\ikhatma\\ikhatma\.jsp;75 \\ilbFwGWq\\ilbFwGWq\.jsp;75 \\imEaY5ja\\imEaY5ja\.jsp;75 \\images\\Login\.jsp;75 \\images\\admin\\login\.jsp;75 \\images\\axis2-web\\index\.jsp;75 \\images\\en\\buttons\\large\\Login\.jsp;75 \\images\\en\\buttons\\large\\admin\\login\.jsp;75 \\images\\en\\buttons\\large\\axis2-web\\index\.jsp;75 \\images\\en\\buttons\\large\\index\.jsp;75 \\images\\en\\buttons\\small\\Login\.jsp;75 \\images\\en\\buttons\\small\\admin\\login\.jsp;75 \\images\\en\\buttons\\small\\axis2-web\\index\.jsp;75 \\images\\en\\buttons\\small\\index\.jsp;75 \\images\\en\\icons\\general\\Login\.jsp;75 \\images\\en\\icons\\general\\admin\\login\.jsp;75 \\images\\en\\icons\\general\\axis2-web\\index\.jsp;75 \\images\\en\\icons\\general\\index\.jsp;75 \\images\\icons\\general\\Login\.jsp;75 \\images\\icons\\general\\admin\\login\.jsp;75 \\images\\icons\\general\\axis2-web\\index\.jsp;75 \\images\\icons\\general\\index\.jsp;75 \\images\\index\.jsp;75 \\imcws\\axis2-web\\index\.jsp;75 \\inaseibu\\inaseibu\.jsp;75 \\index\.jsp;75 \\ingvcduwzt\\ingvcduwzt\.jsp;75 \\inmlvphsyu\\inmlvphsyu\.jsp;75 \\intruvert\\jsp\\admin\\Login\.jsp;75 \\invoke\\index\.jsp;75 \\invokemanage\\invokerinfos\.jsp;75 \\invoker\\1\.jsp;75 \\invokermngrt\\aa\.jsp;75 \\ioviyam\\ioviyam\.jsp;75 \\is\\cmd\.jsp;75 \\is\\index\.jsp;75 \\j60ss\\index\.jsp;75 \\jJ0wLC9\\jJ0wLC9\.jsp;75 \\jKeying\\jKeying\.jsp;75 \\jRktoaev\\jRktoaev\.jsp;75 \\javadev\\cmd\.jsp;75 \\jbossass\\index\.jsp;75 \\jbossass\\jbossass\.jsp;75 \\jbossaxx\\jbossaxx\.jsp;75 \\jbossdoc\\jbossdoc\.jsp;75 \\jbossdox\\jbossdox\.jsp;75 \\jbosses\\jbosses\.jsp;75 \\jbossinvoker\\jbossinvoker\.jsp;75 \\jbossis\\jbossis\.jsp;75 \\jbossos\\jbossos\.jsp;75 \\jbot\\jbot\.jsp;75 \\jdev\\cmd\.jsp;75 \\jdev2\\cmd\.jsp;75 \\jdev3\\cmd\.jsp;75 \\jedi-theme\\jedi-theme\.jsp;75 \\jj\\jj\.jsp;75 \\jmx-admin\\1\.jsp;75 \\jmx-admin\\2\.jsp;75 \\jmx-management\\sysup\.jsp;75 \\jobss-ebmyae\\jobss-ebmyae\.jsp;75 \\jobss-kqgmyg\\jobss-kqgmyg\.jsp;75 \\jobss-rjkonr\\jobss-rjkonr\.jsp;75 \\jobss-utdqkz\\jobss-utdqkz\.jsp;75 \\jrm1arJ\\jrm1arJ\.jsp;75 \\jsp\\PreLogin\.jsp;75 \\jsp\\index\.jsp;75 \\jspshell\\index\.jsp;75 \\kakou\\kakou\.jsp;75 \\knet\\knet\.jsp;75 \\kohls\\kohls\.jsp;75 \\kort-theme\\kort-theme\.jsp;75 \\kpzalrmhjt\\kpzalrmhjt\.jsp;75 \\kqgfyojlmw\\kqgfyojlmw\.jsp;75 \\kqrecOhV\\kqrecOhV\.jsp;75 \\krweQEfC\\krweQEfC\.jsp;75 \\lnnpp\\lnnpp\.jsp;75 \\login\.jsp;75 \\console\\console\.jsp;75 \\console\\index\.jsp;75 \\ls\\cmd\.jsp;75 \\ls\\ls\.jsp;75 \\ly\\ly\.jsp;75 \\m\\schdC\.jsp;75 \\man\\3\.jsp;75 \\manager\\113\.jsp;75 \\manager\\fix\.jsp;75 \\manager\\http\.jsp;75 \\manager\\mybrowser\.jsp;75 \\manager\\poster\.jsp;75 \\manager\\ujap\.jsp;75 \\manager\\upup\.jsp;75 \\mecmd\\mecmd\.jsp;75 \\med\\med\.jsp;75 \\mela\\mela\.jsp;75 \\mgr\\lnx\.jsp;75 \\momo\\no\.jsp;75 \\msndbjgpaw\\msndbjgpaw\.jsp;75 \\msquare\\msquare\.jsp;75 \\namecard\\namecard\.jsp;75 \\namlah\\namlah\.jsp;75 \\netflow\\jspui\\NetworkSnapShot\.jsp;75 \\neweb_cs\\neweb_cs\.jsp;75 \\newgensso\\newgensso\.jsp;75 \\nhgsab\\nhgsab\.jsp;75 \\niet[0-9]{8,9}\.jsp;75 \\no\\no\.jsp;75 \\nop\\index\.jsp;75 \\nop\\nop\.jsp;75 \\nsilog\\nsilog\.jsp;75 \\ntpu\\ntpu\.jsp;75 \\ntuh\\ntuh\.jsp;75 \\nyco\\nyco\.jsp;75 \\ooxx\\ooxx\.jsp;75 \\opensso\\UI\\Login\.jsp;75 \\ori\\pwn\.jsp;75 \\os\\smd\.jsp;75 \\oss\\smd\.jsp;75 \\pass\\index\.jsp;75 \\payload\\payload\.jsp;75 \\pjjxh\\pjjxh\.jsp;75 \\psconsole\\faces\\common\\ProductVersion\.jsp;75 \\pw\\pw\.jsp;75 \\pwn\\pwn\.jsp;75 \\pwnd\\pwnd\.jsp;75 \\qqq\\qqq\.jsp;75 \\qwer\\index\.jsp;75 \\qwer\\qwer\.jsp;75 \\qyjxh\\qyjxh\.jsp;75 \\radlink\\radlink\.jsp;75 \\rdsan\\rdsan\.jsp;75 \\rgcb\\index\.jsp;75 \\rhspc\\rhspc\.jsp;75 \\roller-ui\\index\.jsp;75 \\roller\\index\.jsp;75 \\rs\\Browser\.jsp;75 \\console\\rshell\.jsp;75 \\rshell\\rshell\.jsp;75 \\rshell169\\rshell\.jsp;75 \\rshell197\\rshell\.jsp;75 \\rshell94\\rshell\.jsp;75 \\s\\s\.jsp;75 \\safe2\\index\.jsp;75 \\scripts\\Login\.jsp;75 \\scripts\\admin\\login\.jsp;75 \\scripts\\axis2-web\\index\.jsp;75 \\servar\\servar\.jsp;75 \\server\\server\.jsp;75 \\sh3ll\\sh3ll\.jsp;75 \\shel\\shel\.jsp;75 \\shell\\shell\.jsp;75 \\shell[0-9]{1,3}\\shell\.jsp;75 \\shellinvokee\\shellinvokee\.jsp;75 \\shellinvoker\\index\.jsp;75 \\shellinvoker\\shellinvoker\.jsp;75 \\shellinvokxy\\shellinvokxy\.jsp;75 \\sicerweb\\sicerweb\.jsp;75 \\sicguadalajara\\sicguadalajara\.jsp;75 \\simplelinkportlet\\simplelinkportlet\.jsp;75 \\sjinad\\index\.jsp;75 \\smgodyfatv\\smgodyfatv\.jsp;75 \\smjwcyadot\\smjwcyadot\.jsp;75 \\smrnqgdfbx\\smrnqgdfbx\.jsp;75 \\sns\\index\.jsp;75 \\sohzfdxgcy\\sohzfdxgcy\.jsp;75 \\sonyjukeboxmdb\\sonyjukeboxmdb\.jsp;75 \\sonyxmlchartfeed\\sonyxmlchartfeed\.jsp;75 \\spy195\\spy\.jsp;75 \\spy274\\spy\.jsp;75 \\ssvcss\\index\.jsp;75 \\sw-style\\sw-style\.jsp;75 \\swynhoff\\swynhoff\.jsp;75 \\syjxh\\syjxh\.jsp;75 \\sync\\sync\.jsp;75 \\sysaid\\Login\.jsp;75 \\system1\.jsp;75 \\system2\.jsp;75 \\system3\.jsp;75 \\t2stj60ss\\t2stj60ss\.jsp;75 \\test\\2\.jsp;75 \\test\\test\.jsp;75 \\testo\\testo\.jsp;75 \\tiger2\\index\.jsp;75 \\tmui\\login\.jsp;75 \\tyrinnjefferies\\tyrinnjefferies\.jsp;75 \\upload5warn\\css\.jsp;75 \\validadorDocumento\\validadorDocumento\.jsp;75 \\wado\\wado\.jsp;75 \\wdjxh\\wdjxh\.jsp;75 \\wincfg\\wincfg\.jsp;75 \\wizard\\wizard\.jsp;75 \\wky\\wky\.jsp;75 \\wlweb\\wlweb\.jsp;75 \\wmHbixOS\\wmHbixOS\.jsp;75 \\wooyun\\wooyun\.jsp;75 \\ws\\axis2-web\\index\.jsp;75 \\wstats\\wstats\.jsp;75 \\x\\pwn\.jsp;75 \\x\\w\.jsp;75 \\x\\x\.jsp;75 \\xfsix\\xfsix\.jsp;75 \\xpoolm\\xpoolm\.jsp;75 \\xpoolm10\\xpoolm10\.jsp;75 \\xx\\index\.jsp;75 \\xx\\xx\.jsp;75 \\xxoo\\xxoo\.jsp;75 \\xxx\\xxx\.jsp;75 \\xxxxyyyy\\xxxxyyyy\.jsp;75 \\xxxyyy\\xxxyyy\.jsp;75 \\yinyi\\yinyi\.jsp;75 \\ysbao\\ysbao\.jsp;75 \\zbqwx\\zbqwx\.jsp;75 \\zcmd\\zcmd\.jsp;75 \\zecd\\zecd\.jsp;75 \\zecmd\\osl\.jsp;75 \\zecmd\\zecmd\.jsp;75 \\zeekill\\zeekill\.jsp;75 \\zere\\zere\.jsp;75 \\zere\\zion\.jsp;75 \\zfcgreg\\zfcgreg\.jsp;75 \\zfsqapp\\zfsqapp\.jsp;75 \\zion\\zion\.jsp;75 \\zjjxh\\zjjxh\.jsp;75 \\zjxh\\zjxh\.jsp;75 \\zmeu\\zmeu\.jsp;75 \\zzmeu\\zzmeu\.jsp;75 \\jexinv3\\jexinv3\.jsp;75 \\jexws\\jexws\.jsp;75 \\jexws3\\jexws3\.jsp;75 \\invoker\\jbosscons\.jsp;75 # APT29 Report PaloAlto AppData\\Adobe\\qpbqrx\.dat;80 # Webshells \\antak\.aspx;70 # Buckeye APT \\eof\.exe;100 # Suspicious EXE DLL in Non-Executable directory \\(images|img|js|fonts|css|swf|themes|log|error_docs)\\[^\\"]{,20}\.(exe|dll)$;60 \\(wp-admin|wp-content|wp-includes)\\[^\\"]{,20}\.(exe|dll);60 # APT29 Post-Election Acitivty https://goo.gl/4nyX1e \\RWP_16-038_Norris\.ZIP;80 \\37486\.ZIP;60 \\message0236\.ZIP;80 \\Roaming\\Apple\\gwV46iIc\.idx;80 \\Roaming\\HP\\fywhx\.dll;80 \\Roaming\\Dell\\impku\.dat;80 \\Roaming\\Apple\\hqwhbr\.lck;80 # Shamoon 2.0 https://goo.gl/khxVGq ystem32\\ntssrvr32\.exe;80 ystem32\\ntssrvr64\.exe;80 \\ntssrvr32\.bat;80 ystem32\\gpget\.exe;80 ystem32\\drdisk\.sys;80 \\key8854321\.pub;80 ystem32\\netinit\.exe;80 \\inf\\usbvideo324\.pnf;70 \\Windows\\System32\\caclsrv\.exe;65 \\Windows\\System32\\certutl\.exe;65 \\Windows\\System32\\clean\.exe;65 \\Windows\\System32\\ctrl\.exe;65 \\Windows\\System32\\dfrag\.exe;65 \\Windows\\System32\\dnslookup\.exe;65 \\Windows\\System32\\dvdquery\.exe;65 \\Windows\\System32\\event\.exe;65 \\Windows\\System32\\extract\.exe;65 \\Windows\\System32\\findfile\.exe;65 \\Windows\\System32\\fsutl\.exe;65 \\Windows\\System32\\gpget\.exe;65 \\Windows\\System32\\iissrv\.exe;65 \\Windows\\System32\\ipsecure\.exe;65 \\Windows\\System32\\msinit\.exe;65 \\Windows\\System32\\netx\.exe;65 \\Windows\\System32\\ntdsutl\.exe;65 \\Windows\\System32\\ntfrsutil\.exe;65 \\Windows\\System32\\ntnw\.exe;65 \\Windows\\System32\\power\.exe;65 \\Windows\\System32\\rdsadmin\.exe;65 \\Windows\\System32\\regsys\.exe;65 \\Windows\\System32\\routeman\.exe;65 \\Windows\\System32\\rrasrv\.exe;65 \\Windows\\System32\\sacses\.exe;65 \\Windows\\System32\\sfmsc\.exe;65 \\Windows\\System32\\sigver\.exe;65 \\Windows\\System32\\smbinit\.exe;65 ystem32\\Drivers\\drdisk.sys;70 # GoldenEye Ransomware Naming Scheme Temp\\rad[A-F0-9]{5}\.exe;70 # Shadow Broker File Listing Dec 2016 \\bs\.ratload;80 \\catflap$;80 \\catflap_;80 \\charm_razor;80 \\charm_penguin;80 \\charm_hammer;80 \\alwayspcap\.pl;80 \\curse(bingo|bongo|chicken|clash|devo|fire|flower|gismo|happy|hole)\.;60 \\dampcrowd\.;80 \\dewdrop__;80 \\Dubmoat_;80 \\Dubmoat\-;80 \\ebbisland;60 \\ebbnew_linux;60 \\ebbshave\.;80 \\eggbasket$;80 \\elatedmonkey\.;80 \\electricslide;80 \\toffeehammer;80 \\elgingamble;80 \\endlessdonut;80 \\enemyrun\.;80 \\environcollision;80 \\envoytomato;80 \\expoxyresin;80 \\esna\.py$;80 \\estopmoonlit;80 \\evolvingstrategy;80 \\ewok$;80 \\x86\-linux\-exactchange;80 \\x86_x64\-linux\-exactchange;80 \\exp\.x$;60 \\exp\.s$;60 \\exze$;60 \\ghost_x86;80 \\ghost_sparc;80 \\ftshell\.;50 \\jackpop\.;60 \\magicjack_;60 \\orleansstride;80 \\orleans_stride;80 \\porkserver\.;80 \\porksclient\.;80 \\seconddate;60 \\skimcountry;80 \\slyheretic;80 \\stoicsurgeon;80 \\strifeworld;80 \\implant;40 \\vs\.attack;80 \\ys\.ratload;80 # Kaspersky StoneDrill Report \\[Ww]indows\\[Tt]emp\\key[0-9]{6,8}\.pub;70 \\caclsrv\.exe;60 \\dvdquery\.exe;60 \\msinit\.exe;60 \\certutl\.exe;60 \\event\.exe;60 \\ntfrsutil\.exe;60 \\routeman\.exe;60 \\ntnw\.exe;60 \\findfile\.exe;60 \\ntdsutl\.exe;60 \\rrasrv\.exe;60 \\netx\.exe;60 \\ctrl\.exe;60 \\gpget\.exe;60 \\sacses\.exe;60 \\fsutl\.exe;60 \\dfrag\.exe;60 \\ipsecure\.exe;60 \\rdsadmin\.exe;60 \\sfmsc\.exe;60 \\dnslookup\.exe;60 \\iissrv\.exe;60 \\regsys\.exe;60 \\smbinit\.exe;60 # Unicode Left-to-Right Override Trick https://goo.gl/cHnBqP fdp\.exe;60;\\bin\\ # APT 29 Activity https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html \\googleService\.exe;80 \\Program Files\(x86\)\\Google\\GoogleUpdate\.exe;80 \\Program Files\(x86\)\\Google\\start\.ps1;80 \\Program Files\(x86\)\\Google\\install\.bat;80 # Typical Malware Names \\svchos1\.exe;60 \\Program Files\(x86\)\\Google\\[^\\"]{1,20}\.(exe|ps1);80 \\Windows\\inf\\[^\\"]{1,20}\.(exe|ps1);60 # Cloud Hopper Indicator - https://goo.gl/OkB63q \\mfeann\.data;90 \\vba32arch\.dll;90 \\SFCNS\.dat;90 \\schf\.its;90 \\logmeinsystrays\.dat;90 \\secretsdump\.exe;90 \\psexe\.exe;90 \\NetSess\.exe;90 \\detect\.vbs;90 \\rund11\.exe;90 \\nbt\.exe;90 \\atexec\.exe;90 \\LogMeInSystrays\.dat;90 \\NvSmart\.hlp;90 \\AppData\\Local\\Temp\\winsyslog\\msseces\.exe;90 \\AppData\\Local\\Temp\\winsyslog\\msseces\.asm;90 \\AppData\\Local\\Temp\\winsyslog\\mPclient\.dll ;90 \\Vba32ar\.cab\.dat;90 \\gfdnippwwg;90 \\Windows Data AntiVirus;90 \\t\.vbs\.cfg;90 \\furnish\.dat;90 \\ProgramData\\SxS\\[^\\"]{1,20}\.(exe|dll|dat);50;\\eastoeb\.exe \\wpf-etw\.dat;90 \\microsoft\.workflow\.compiler\.dat;90 # Cloud Hopper Indicator - Rare Software - Check for False Positives https://goo.gl/OkB63q \\gothic\.dat;60 \\shortcutfixer\.exe;60 \\k7sysmon\.exe;60 \\pokerstarsbr\.exe;60 \\t\.vbs;60 \\tcping\.exe;60 \\K7sysmn1\.dll;60 # Cloud Hopper - Annex B Extraction https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf \\AppData\\Local\\Temp\\handkerchief\.dat;80 \\Temp\\obedience\.exe;80 \\AppData\\Local\\Temp\\starburn\.dll;80 \\RedLeaves\.exe;75 \\PerfLogs\\[^\\"]{1,20}\.(exe|vbs|ps1);60 \\wmi\.dll\.bak;80 \\rund1132\.exe;80 \\consl64\.exe;60 # Lazarus Group https://securelist.com/blog/sas/77908/lazarus-under-the-hood/ \\Windows\\Web\\Wallpaper\\[^\.]{1,25}\.(exe|dll|vbs|ps1);70 \\Desktop\\win32\\liboradb\.dll;80 \\Windows\\msdtc\.exe;80 \\Windows\\gpvc\.exe;80 \\Windows\\Help\\srservice\.chm;80 \\Windows\\Help\\srservice\.hlp;70 ystem32\\lcsvsvc\.dll;80 \\Windows\\msdtc\.bat;70 :\\MSO10\\LATIN\.SHP;70 # US CERT Alert (TA17-117A) \\3D Tetris\.exe;60 \\2016-12-01_05-18_c1cb28327d3364768d1c1e4ce0d9bc07_4132357b;80 \\2016-11-30_00-13_23d03ee4bf57de7087055b230dae7c5b_79a67d75;80 \\f157874512\.exe;80 \\artf\.exe;80 \\age\.exex;80 \\b20ce00a6864225f05de6407fac80ddb83cd0aec00ada438c1e354cdd0d7d5df\.bin;80 \\WinCConnect\.exe;60 \\RCt\.exe;80 \\SXm\.exe;80 \\offcee\.EXE;80 \\ShorcutLauncher\.exe;80 \\ap1\.exe;80 \\run\.dll;60 \\Vba32ar\.exe;80 \\runsna\.dll;80 \\dragon\.dll;80 \\GeekBuddyRSP\.exe;80 \\cif\.exe;80 \\condition\.dat;80 \\gentee\.dll;60 # Oilrig https://goo.gl/Gw32C8 \\Program Files \(x86\)\\Microsoft Idle\\[^\\"]{1,16}\.exe;70 \\Start Menu\\Programs\\Startup\\WinInit\.lnk;70 \\Start Menu\\Programs\\Startup\\SyncInit\.lnk;70 # Snake / Turla https://goo.gl/QaOh4V /Library/LaunchDaemons/com.adobe\.update\.plist;70 /Library/Scripts/installd\.sh;70 /Library/Scripts/queue;70 /var/tmp/\.ur-;70 /tmp/\.gdm-socket;70 /tmp/\.gdm-selinux;70 # Custom SHIM SDB found - this is suspicious - see https://goo.gl/xW90xr \\Windows\\AppPatch\\Custom\\[^\\"]{1,50}\.sdb;40 \\Windows\\AppPatch\\Custom\\Custom64\\[^\\"]{1,50}\.sdb;40 # FIN7 SHIM temp files pattern - see https://goo.gl/xW90xr \\Windows\\Temp\\sdb[A-Z0-9]{4}\.tmp$;60 # Kazuar - https://goo.gl/eDDTQj \\AppData\\Local\\[a-f0-9]{32}\\[a-f0-9]{32}\.dll;70 \\AppData\\Local\\[a-f0-9]{32}\\[a-f0-9]{32}\\;60 # ISM RAT - https://goo.gl/2EM5Ih \\AppData\\Local\\Microsoft\\Windows\\jTmp[0-9]{6}\.txt;70 # Vault7 - CIA tool - file name pattern \\f32\.dll;50 \\f64\.dll;50 \\fs32\.dll;50 \\fs64\.dll;50 \\f32\.exe;50 \\f64\.exe;50 \\fs32\.exe;50 \\fs64\.exe;50 \\encrypter32\.exe;50 \\f32_dbg\.dll;50 \\f64_dbg\.dll;50 \\fs32_dbg\.dll;50 \\fs64_dbg\.dll;50 \\fs32_dbg\.exe;50 \\fs64_dbg\.exe;50 \\encrypter32_dbg\.exe;50 # HP Keylogging Audio Driver https://goo.gl/BSQWzw \\Users\\Public\\MicTray\.log;70 # WannaCry Ransomware https://goo.gl/1M92G1 \\tasksche\.exe;75 \\mssecsvc\.exe;75 \\taskdl\.exe;75 \\WanaDecryptor;75 \\taskhsvc\.exe;75 \\taskse\.exe;75 \\111\.exe;75 \\lhdfrgui\.exe;75 \\linuxnew\.exe;75 \\wannacry\.exe;75 \\@Please_Read_Me@\.txt;75 \.wcry$;75 \.wncry$;75 \.WCRY$;75 \.WNCRY$;75 # Fireball Malware - Check Point Report - https://goo.gl/4pTkGQ \\clearlog\.dll;70 \\de_svr\.exe;70 \\lancer\.dll;70 \\regkey\.exe;40 \\Program Files\\Services\\iThemes\.dll;70 # Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads https://goo.gl/OOB3mH [Cc]:\\taskmgr\.exe;80 [Cc]:\\1\.vbs;60 \\systemUpdate\.exe;60 \\systemHome\.exe;80 \\wyawou\.exe;80 \\Temp\\[0-9]{5,6}\.gho;70 \\[Ss]ystem32\\aaaaaa\.exe;100 # Abnormal System File Location ------------------------------------------------ # Abnormal File Location #\\msn\.exe$;60;\\MSNCoreFiles\\ #\\messenger\.exe$;60;\\MSN Messenger #\\vmware\.exe$;60;(kstation|Programs) #\\SCNotification\.exe$;60;CCM\\ #\\SavService\.exe$;60;[Aa]nti\-[Vv]irus\\ #\\ALsvc\.exe$;60;AutoUpdate\\ # Ncat #\\ncat\.exe$;60;\\(bin|sbin|Nmap)\\ #\\nc\.exe$;60;\\(bin|sbin)\\ #\\nping\.exe$;60;\\(bin|sbin|Nmap|nmap)\\ # AppCompatSearch -------------------------------------------------------------- # Signatures from https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt # THOR 3rd generation format - Regex;Score;FP Regex # Missplaced system files #([C-Zc-z]:|\\\\).{1,40}\\(svchost\.exe|lsass\.exe|lsm\.exe|services\.exe|smss\.exe|calc\.exe)[^.\\]?;65;(?i)(HKCR\\Applications|System32|system32|SYSTEM32|winsxs|WinSxS|SysWOW64|SysWow64|syswow64|SYSNATIVE|Sysnative|dllcache|WINXP|WINDOWS|i386|%system32%)\\ #([C-Zc-z]:|\\\\).{1,40}\\(msra\.exe|ctfmon\.exe|csrss\.exe|snmp\.exe|alg\.exe);65;(?i)(HKCR\\Applications|System32|system32|SYSTEM32|winsxs|WinSxS|SysWOW64|SysWow64|syswow64|SYSNATIVE|Sysnative|dllcache|WINXP|WINDOWS|i386|%system32%)\\ #([C-Zc-z]:|\\\\).{1,40}\\(spoolsrv\.exe|winlogon\.exe|taskmgr\.exe|taskeng\.exe);65;(?i)(HKCR\\Applications|System32|system32|SYSTEM32|winsxs|WinSxS|SysWOW64|SysWow64|syswow64|SYSNATIVE|Sysnative|dllcache|WINXP|WINDOWS|i386|%system32%)\\ #([C-Zc-z]:|\\\\).{1,40}\\mshta\.exe$;65;(?i)(HKCR\\Applications|System32|system32|SYSTEM32|winsxs|WinSxS|SysWOW64|SysWow64|syswow64|SYSNATIVE|dllcache|WINXP|WINDOWS|i386|windows|ie8|ie7|%system32%|\$NtServicePackUninstall\$)\\ #([C-Zc-z]:|\\\\).{1,40}\\cmd\.exe$;65;(?i)(HKCR\\Applications|System32|system32|SYSTEM32|winsxs|WinSxS|SysWOW64|SysWow64|syswow64|SYSNATIVE|Sysnative|dllcache|WINXP|WINDOWS|i386|dllcache|WINXP|WINDOWS|%system32%)\\ #([C-Zc-z]:|\\\\).{1,40}\\explorer\.exe$;65;(?i)(HKCR\\Applications|winsxs|WinSxS|WINXP|WINDOWS|Windows|i386|WINXP|WINDOWS|Win2k|WINNT|Windows|windows|%SystemRoot%|%system32%|CrashDumps)\\ # Other missplaced stuff you probably want to be aware of #([C-Zc-z]:|\\\\).{1,40}\\(cmd|lsass|rundll|rundll32|net|net1|taskeng|conhost|powershell)\.exe;65;(?i)(HKCR\\Applications|System32|system32|SYSTEM32|winsxs|WinSxS|SysWOW64|SysWow64|syswow64|SYSNATIVE|dllcache|WINXP|WINDOWS|i386|anti-malware|%system32%|activation_config|Logging|ADDriver|cmd\.exe\.lnk|CrashDumps)\\ # Archivers on odd locations #\\rar(32|64)?\.exe;40;(?i)(\\WinRAR|\\wrar) #\\7za\.exe;50;(?i)(\\VMware Player|\\utilities|\\tools[^\\]*|\\PortableApps\\|\\Lenovo\\System Update|\\adobe creative cloud\\utils\\zip|\\bin) # Misspelt Windows binaries example \\scvhost\.exe;76 \\svch0st\.exe;76 \\svchosts\.exe;76 \\svchots\.exe;76 \\suchost\.exe;76 \\svchost\.\.exe;76 \\rundll64\.exe;55 # Stuff running where it normally shouldn't \\((Users|Documents and Settings))\\[^\\"]{1,20}\.(exe|dll);65 \\(Users|Documents and Settings)\\[^\\"]{1,20}\\[^\\"]{1,20}\.(exe|dll|vbs|bat|ps1);40 \\(Users|Documents and Settings)\\NetworkService\\[^\\"]{1,20}\.(exe|dll);60 \\Windows\\[Ss]ystem32\\config\\systemprofile\\[^\\"]{1,20}\.(exe|dll);60 [Cc]:\\$Recycle\.Bin\\[^\\"]{1,20}\.(exe|dll);60 [Cc]:\\RECYCLER\\[^\\"]{1,20}\.(exe|dll);60 [Cc]:\\(Web|Intel)\\[^\\"]{1,20}\.(exe|dll);50 [Cc]:\\(Windows|Winnt)\\(Debug|addins)\\[^\\"]{1,20}\.(exe|dll);60 [Cc]:\\(Windows|Winnt)\\(repair|security)\\[^\\"]{1,20}\.(exe|dll);60 \\Cookies\\[^\\"]{1,20}\.(exe|dll);60 \\RSA\\MachineKeys\\[^\\"]{1,20}\.(exe|dll);60 \\(Users|Documents and Settings)\\[^\\"]{1,20}\\Start Menu\\[^\\"]{1,20}\.(exe|dll);60 \\(Users|Documents and Settings)\\[^\\"]{1,20}\\AppData\\[^\\"]{1,20}\.(exe|dll);60 \\(Users|Documents and Settings)\\[^\\"]{1,20}\\AppData\\(Local|Roaming)\\[^\\"]{1,20}\.(exe|dll);60 \\(Users|Documents and Settings)\\[^\\"]{1,20}\\AppData\\Roaming\\Identities\\[^\\"]{1,20}\.(exe|dll);60 \\tsclient\\[^\\"]{1,20}\.(exe|dll);40 # Typical Malware Location - AppData / Local / Roaming (?i)\\AppData\\[^\\/"]{1,64}\.exe([^._"\\\]]|$);75;(?i)(C:\\SW\\[^\\]{1,20}\\SWSETUP\\DRV\\|C:\\WINDOWS\\System32\\DriverStore\\|C:\\\$WINDOWS\.~BT\\NewOS\\Windows\\System32\\DriverStore\\FileRepository\\|\\Utilities\\PROSet\\) (?i)\\AppData\\[^\\/"]{1,64}\.(dll|bat|vbs|vbe|ps1|psm1|js\b|hta);75;(\.json|\\Program Files\\Win Movie Maker\\|\\Program Files\\Windows Video Editor|\\Program Files\\HomeDev\\PatchCleaner\\AppData\\) (?i)\\AppData\\Local\\[^\\/]{1,64}\.exe([^._\\\]]|$);75;\[Update\.exe\] (?i)\\AppData\\Local\\[^\\/]{1,64}\.(dll|bat|vbs|ps1|hta);80 (?i)\\AppData\\Roaming\\[^\\/]{1,64}\.exe$;75;\\JomCap\.dll (?i)\\AppData\\Roaming\\[^\\/]{1,64}\.(dll|bat|vbs|ps1|hta);80 # Metasploit-dropped files with random file names #\\windows\\temp\\[a-zA-Z]{16}\.(exe|bat);60;VerifyAndInstall\.exe # Finds WinRAR directories in the Default User, All Users, and Network User accounts. This may indicate RAR usage by these accounts. \\Network user\\Application Data\\WinRAR;60 \\All users\\Application Data\\WinRAR;60 \\Default User\\Application Data\\WinRAR;60 # Known Bad / Dual use classics \\xcmd\.exe;60 \\servpw64;60 \\quarks;60 \\lcx\.exe;60 \\winrs\.cmd;60 \\nbtscan\.exe;60 \\wmiexec;60 \\smbscan;60 #\\osql\.exe$;50;(?i)(\\Microsoft SQL Server\\) #\\(procdump|pdump|pc)(64)+\\.exe;50;(?i)(\\SysInternals\\) # Cred Dumping \\(q32|q64|wceaux|w86|q86|quarkpwd[^\\]*|m64|m32|hash32|hash64|64|32|wce32|wce64|w32|w64|wce|p32|p64|ps32|ps64|mimikatz|mimilove|mm32|mm64|pw32|pw64|g32|g64|gs32|gs64|hashdump|dumpsvc)\.exe;60;\\distlib\\ \\(g64\-|\\g32\-|\\gsecdump\.exe|gcx64\.|\\gcx32\.|\\gec\.|\\gse\.exe);60 \\fgdump;60 \\w32\.exe;50;(site-packages|python|Python|\\Root\\InventoryApplicationFile|/pip/|/pip-) \\w64\.exe;50;(site-packages|python|Python|\\Root\\InventoryApplicationFile|/pip/|/pip-) # Generic methodology - 1 character executable / script in short path #[a-zA-Z]:[.]{0,10}\\[.]\.(exe|dll|vbs|ps1|bat|sh)$;60;(?i)(\\cygwin\\|\\GnuWin32\\|Opera\\k\.(exe|bat)|\\R\\r-|\\Git\\usr|\\adobe after effects|\\perl) # Numeric vbs \\[0-9]{1,10}\.vbs;60;UseLocalMachineSoftwareClassesWhenImpersonating \\[a-zA-z][0-9]{2,10}\.vbs;60 # Script in Windows Directory [Cc]:\\Windows\\[a-z]{1,10}\.(bat|vbs|ps1)$;60 # Numeric Exe in System32 folder \\(Windows|system32)\\[0-9]{2,20}\.exe;60 # Short exeuctable or script in system drive root [Cc]:\\[a-z0-9]{1,3}\.(exe|vbs|ps1|bat|dll)$;60 # Single character executable on a drive root [C-Zc-z]:\\[a-z0-9]\.(exe|vbs|ps1|bat|dll)$;60 # Exe in RARSFX folder #\\RarSFX\d\\[^\\"]{1,20}\.exe;50;(?i)(\\RarSFX\d\\lsetup\.exe|\\intiupdater\.exe) # Classic attacker staging folders [Cc]:\\(Recovery|Intel|Web)\\[^\\"]{1,16}\.(exe|dll|vbs|ps1|bat);60 #[Cc]:\\(Windows|Winnt)\\(Help|Web|Media|ime|Debug|Fonts)\\[^\\"]{1,16}\.(exe|dll|vbs|ps1|bat);60;(?i)(\\WINDOWS\\IME\\im[^\\]*_1\\IM) \\System Volume Information\\[^\\"]{1,16}\.(exe|dll|vbs|ps1|bat);60 \\(perflogs|perfdata)\\[^\\"]{1,16}\.(exe|dll|vbs|ps1|bat);60 # Generic startup persistence flagging \\Start Menu\\Programs\\Startup\\[^\\"]{1,16}\.(exe|dll|vbs|ps1|bat);60;\.exe\.lnk # Executable used by PlugX DLL side-loading in non-standard location #(?i)\\CamMute\.exe;60;(?i)\\Lenovo\\Communication Utility\\ #(?i)\\chrome_frame_helper\.exe;60;(?i)\\Google\\Chrome\\application\\ #(?i)\\dvcemumanager\.exe;60;(?i)\\Microsoft Device Emulator\\ #(?i)\\Gadget\.exe;60;(?i)\\Windows Media Player\\ #(?i)\\hcc\.exe;60;(?i)\\HTML Help Workshop\\ #\\hkcmd\.exe;60;(?i)\\(System32|system32|SYSTEM32|winsxs|WinSxS|SysWOW64|SysWow64|syswow64|SYSNATIVE|Graphics|Packages)\\ #(?i)\\Mc\.exe;40;(?i)\\([Mm]icrosoft [Vv]isual [Ss]tudio|Windows Kits|Microsoft SDK|microsoft sdk) #(?i)\\MsMpEng\.exe;60;(?i)\\(Microsoft Security Client|Windows Defender|AntiMalware|Image File Execution Options|Windows\\servicing) #(?i)\\msseces\.exe;60;(?i)\\(Microsoft Security Center|Microsoft Security Client)\\ #(?i)\\OInfoP11\.exe;60;(?i)(\\Common Files\\Microsoft Shared\\|\\Installer\\) #(?i)\\OleView\.exe;60;(?i)\\(Microsoft SDK|Windows Kits|[Mm]icrosoft [Vv]isual [Ss]tudio|Windows Resource Kit) #\\LOLWLauncher\.exe;40 #\\fsstm\.exe;40 #\\AShld\.exe;40 #\\fsguidll\.exe;40 #\\mcf\.exe;40 #\\mcupdui\.exe;40 #\\mcut\.exe;40 #\\NvSmart\.exe;40 #\\ACLUI\.DLL;40 #\\POETWLauncher\.exe;40 #\\RasTls\.exe;40 #\\RunHelp\.exe;40 #\\sep_NE\.exe;40 #\\setup\.dll;40 #\\tplcdclr\.exe;40 #\\Ushata\.exe;40 # Often used in PlugX samples - not malware itself \\POETWLauncher\.exe;60 # Industroyer / CrashOverride IOCs https://dragos.com/blog/crashoverride/ \\tiersvc\.exe;80 \\61850\.exe;80 \\defragsvc\.exe;80 \\haslo\.exe;80 \\avtask\.exe;60 \\104\.dll;80 \\port\.exe;40 \\haslo\.dat;80 # Hidden Cobra https://www.us-cert.gov/ncas/alerts/TA17-164A (?i)C:\\WINDOWS\\SYSTEM32\\CATROOT2\\EDBCHK\.LOG;75 (?i)C:\\WINDOWS\\SYSTEM32\\MIMEFILTER\.XML;75 (?i)C:\\AWORK\\CATROOT2;80 (?i)C:\\WINDOWS\\SYSTEM32\\CATROOT2\\\{12CD0A1D-4EA2-11D1-8608-00C04F-C295EF\};65 (?i)C:\\WINDOWS\\SYSTEM32\\CATROOT2\\\{A750E6C3-38EE-17D5-85E5-10D03D-A378DE\};65 # JP CERT - Lateral Movement http://blog.jpcert.or.jp/2017/06/1-ae0d.html # PWDump Traces \-PWHashes\.txt$;70 \-PWHashes\.txt\.Obfuscated$;70 \\DumpSvc\.exe;75 ystem32\\DumpExt\.dll;75 \\Prefetch\\DUMPSVC\.EXE;80 # QuarksPWDump Traces \\Local\\Temp\\SAM-[0-9]{1,12}\.dmp;70 (?i)\\quarks-pwdump\.exe;80 # WCE Traces \\AppData\\Local\\Temp\\wceaux\.dll;80 # LSLSASS Traces \\LSLSASS\.exe;80 \\lslsass\.exe;80 # Find-GPOPasswords \\Find-GPOPasswords\.ps1;75 \\GPPDataReport-[A-Z_0-9]{2,16}-[0-9_\-]{8,12}\.csv;80 # Mail Password View Traces \\mailpv\.exe;65 # Web Browser Pass View \\WebBrowserPassView\.exe;80 # Remote Desktop Pass View \\rdpv\.exe;60 # csvde export of Active Directory information \\AppData\\Local\\Temp\\csv[0-9]{4,12}\.tmp;80 # Typical malware names VT evaluation July 2017 \\ \.exe;50 \\\$\$\.tmp;50 \\-_-\.sfx\.exe;50 \\\?\.exe;50 \\\?\?\?\.EXE;50 \\\?\?\?\?\.exe;50 \\a\.exe;50 \\aa\.exe;50 \\ab50\.exe;50 \\abc1\.exe;50 \\Ac\.dll;50 \\ActivAdobe\.exe;50 \\admin5\.exe;50 \\ado1234\.exe;50 \\adobe\.sfx\.exe;50 \\adobeflash\.exe;50 \\adobeplayer\.exe;50 \\afjuukilf\.exe;50 \\aiii\.exe;50 \\ajoalol\.exe;50 \\ali\.exe;50 \\amzpa\.exe;50 \\AntiVirus\.exe;50 \\app\.apk\.exe;50 \\AppAvail\.dll;50 \\AppAvail\.exe;50 \\Appdateexe\.exe;50 \\appzzang\.exe;50 \\asd\.exe;50 \\asd\.sfx\.exe;50 \\asdasd\.sfx\.exe;50 \\asdasdasdasd\.sfx\.exe;50 \\asgregrhehr\.exe;50 \\batch\.exe;50 \\bdyy\.exe;50 \\bestkatz\.exe;50 \\bilibili\.dll;50 \\bind0\.exe;50 \\bitcoin\.exe;50 \\biwagox\.exe;50 \\bla\.exe;50 \\Bomb\.exe;50 \\Bonus\.exe;50 \\bookmarks\.exe;50 \\bot\.dll;50 \\Bot_net_\.exe;50 \\BotEx\.exe;50 \\Botgame\.exe;50 \\Botnet\.sfx\.exe;50 \\BotWorker\.exe;50 \\budha\.exe;50 \\Buildhid\.exe;50 \\buildhide\.exe;50 \\buildhideffff\.exe;50 \\Bureau\.exe;50 \\Business\.exe;50 \\business\.exe;50 \\By_grgpj\.exe;50 \\by_grgpj\.exe;50 \\byanshi\.exe;50 \\c\.l\.exe;50 \\CA_cert_install\.exe;50 \\card\.exe;50 \\Cash\.exe;50 \\Cashout\.exe;50 \\cc1efxwty\.exe;50 \\ccvekil\.exe;50 \\ch77\.exe;50 \\change_imei\.exe;50 \\changeimei\.exe;50 \\cheat\.exe;50 \\Cheat\.exe;50 \\cheat\.sfx\.exe;50 \\Cheat\.sfx\.exe;50 \\cheats\.exe;50 \\checkers\.dll;50 \\Chets\.exe;50 \\Chrome_e\.dll;50 \\ClearLog\.dll;50 \\clearlog\.dll;50 \\ClientX\.exe;50 \\cloaked\.exe;50 \\com\.exe;50 \\coockie\.exe;50 \\Copy\.exe;50 \\craaaaaaaaash\.exe;50 \\crack\.exe;50 \\Crack\.exe;50 \\Crack\.sfx\.exe;50 \\cracked\.exe;50 \\crssc\.exe;50 \\Cry\.dll;50 \\Crypted\.exe;50 \\Crypted\.sfx\.exe;50 \\crypter\.exe;50 \\Crypter\.exe;50 \\csr\.exe;50 \\csr\.gpj\.exe;50 \\csr\.sfx\.exe;50 \\csrs\.exe;50 \\csrss\.sfx\.exe;50 \\Cursors\.exe;50 \\cuulongtranhba\.exe;50 \\cvekil\.exe;50 \\cyber\.exe;50 \\dad\.jpg\.exe;50 \\DAMN\.sfx\.exe;50 \\darkhook\.sfx\.exe;50 \\Darkzip\.exe;50 \\data\.exe;50 \\Data\.exe;50 \\DC\.sfx\.exe;50 \\DDOS\.exe;50 \\DDSC25051\.exe;50 \\de_svr\.exe;50 \\Desktop\.exe;50 \\DESKTOP\.EXE;50 \\Desktop\.ico\.exe;50 \\Desktop\.pdf\.exe;50 \\Desktop\.sfx\.exe;50 \\Disetoken\.exe;50 \\Disetoken2\.exe;50 \\diskviever\.exe;50 \\dll suite\.exe;50 \\dllinjector\.exe;50 \\dmppasswd\.exe;50 \\doc\.pif;50 \\doc\.scr;50 \\docs\.exe;50 \\Document\.exe;50 \\Documents\.exe;50 \\done\.sfx\.exe;50 \\Donkypong\.exe;50 \\dora\.exe;50 \\Download-Rat\.exe;50 \\downloader\.sfx\.exe;50 \\downloads\.exe;50 \\Downloads\.exe;50 \\DriverEasy\.exe;50 \\Drivers\.exe;50 \\dsadsa\.exe;50 \\dsassssss\.exe;50 \\DSOwned\.exe;50 \\DUMP_TO_MIMI_X64\.exe;50 \\Dumpper\.exe;50 \\dvwssr3\.dll;50 \\ear6kvkji\.exe;50 \\ElfCrack\.exe;50 \\employee\.exe;50 \\etc\.exe;50 \\Evan\.sfx\.exe;50 \\evil\.jpg\.exe;50 \\exe\.exe;50 \\exe\.exe;50 \\Extreme Injector\.exe;50 \\extreme-injector\.exe;50 \\ExtremeInjector\.exe;50 \\ezz\.exe;50 \\f454982386\.dll;50 \\facebook hostblock\.exe;50 \\Facebook HostBlock\.exe;50 \\Facebook\.exe;50 \\factorio\.exe;50 \\faill\.exe;50 \\fails\.exe;50 \\fake\.exe;50 \\fakeerror\.sfx\.exe;50 \\FancyBtR\.bat;50 \\fansi\.exe;50 \\fffffib\.dll;50 \\File1\.exe;50 \\file1\.exe;50 \\file2\.exe;50 \\file3\.exe;50 \\filee\.exe;50 \\filee\.scr;50 \\filegpj\.exe;50 \\final\.exe;50 \\Final\.exe;50 \\final\.exe\.exe;50 \\final2\.exe;50 \\fjhsdj\.exe;50 \\flash\.exe;50 \\fontdriverhost\.exe;50 \\ForceOP\.exe;50 \\ForcOP\.exe;50 \\foto\.exe;50 \\foto\.sfx\.exe;50 \\Foto1\.jpg\.exe;50 \\fqxekgw38\.exe;50 \\game\.exe;50 \\Game\.exe;50 \\gamevk\.ru\.exe;50 \\godmode\.exe;50 \\Google Chrome\.exe;50 \\google chrome\.exe;50 \\google-book\.exe;50 \\googlegen\.exe;50 \\gozilla\.exe;50 \\graphicaldrv\.exe;50 \\gubed_wmi\.exe;50 \\Gubed_WMI\.exe;50 \\hack\.exe;50 \\Hack\.exe;50 \\hack\.scr;50 \\Hack\.sfx\.exe;50 \\hacked\.exe;50 \\Hacker\.exe;50 \\hacker1\.exe;50 \\hacker2\.exe;50 \\hackgpj\.scr;50 \\Hacking\.exe;50 \\hackkk\.sfx\.exe;50 \\hello\.exe;50 \\helloo\.exe;50 \\hidden\.exe;50 \\HideMeVPN\.exe;50 \\HideProcess\.exe;50 \\hitman\.exe;50 \\HITMAN\.exe;50 \\holgerdogz\.exe;50 \\hosts\.exe;50 \\hosts\.exe;50 \\hostsys\.exe;50 \\hrubqjqqs\.exe;50 \\huck\.exe;50 \\iDesk\.exe;50 \\iDskDllPatch\.dll;50 \\iexplore\.sfx\.exe;50 \\image\.jpg\.exe;50 \\images\.jpg\.exe;50 \\img0\.exe;50 \\imvu\.rar\.exe;50 \\INCUBUS\.exe;50 \\infected\.exe;50 \\infi\.exe;50 \\InfiBoot\.exe;50 \\inject\.exe;50 \\Injector\.exe;50 \\instagram\.com;50 \\instagram\.exe;50 \\intel\.exe;50 \\Intriga\.exe;50 \\Invoice\.doc\.exe;50 \\Invoice\.exe;50 \\Invoker\.exe;50 \\IpRat\.sfx\.exe;50 \\iSvc\.dll;50 \\jpg\.exe;50 \\jpgj\.exe;50 \\kaka\.exe;50 \\kaka3\.exe;50 \\kaka5\.exe;50 \\KaOsX\.exe;50 \\Katzen\.exe;50 \\katzen\.exe;50 \\KeyGen\.exe;50 \\keygen\.exe;50 \\Killer\.exe;50 \\kitty\.dll;50 \\kitty\.exe;50 \\koko\.exe;50 \\lamescan3\.exe;50 \\Language\.exe;50 \\lhdfrgui\.exe;50 \\Linux\.exe;50 \\linux2\.exe;50 \\linux3\.exe;50 \\linuxnew\.exe;50 \\Loginfor\.exe;50 \\LOIC\.exe;50 \\lol\.exe;50 \\loles\.exe;50 \\m1\.exe;50 \\m1m1k4tz\.exe;50 \\m64\.exe;50 \\malware\.exe;50 \\mamecats\.exe;50 \\Master1\.exe;50 \\MasterRAT\.exe;50 \\mBotLoader\.exe;50 \\MBOTLOADER\.EXE;50 \\mBotNeksLoader\.exe;50 \\Meme\.exe;50 \\MemProtect\.exe;50 \\Message\.EXE;50 \\MessengerReviver\.exe;50 \\Metin2_Launch\.exe;50 \\Metin2Mod\.exe;50 \\mf_authp\.dll;50 \\mf_authp2\.dll;50 \\Microsoft Installer\.exe;50 \\Microsoft vb\.net\.exe;50 \\microsoft\.exe;50 \\microsoft\.exe;50 \\microsoftdefenders\.exe;50 \\MicrosoftUpdate\.exe;50 \\mim_64\.exe;50 \\mimi\.ps1;50 \\mimidogz\.exe;50 \\mimiksdfsdatz\.exe;50 \\Minecraft\.exe;50 \\minecraft\.exe;50 \\miner\.exe;50 \\Miner\.exe;50 \\miniratz\.exe;50 \\misfritz\.exe;50 \\mkz\.exe;50 \\mmk\.exe\.exe;50 \\mobile\.exe;50 \\mp3\.exe;50 \\musicas\.exe;50 \\myfile\.exe;50 \\MyProgramm\.exe;50 \\myreport\.exe;50 \\NANA\.exe;50 \\New folder\.exe;50 \\new folder\.exe;50 \\new\.exe;50 \\new2\.exe;50 \\new3\.exe;50 \\new_wce3\.exe;50 \\new_wce4\.exe;50 \\newlinux\.exe;50 \\NewRat\.exe;50 \\newserver\.exe;50 \\njRAT\.exe;50 \\NONAME\.exe;50 \\noodle_packed\.exe;50 \\NumberShark\.exe;50 \\oblivion\.exe;50 \\OFFSET_FREEZE\.exe;50 \\Open VPN\.exe;50 \\output\.25470694\.txt;50 \\panda\.exe;50 \\Path\.exe;50 \\payload\.exe;50 \\PDF\.exe;50 \\perfect\.exe;50 \\Photo1\.exe;50 \\pic\.jpg\.exe;50 \\Picture\.exe;50 \\playerflash\.exe;50 \\poli2v1\.exe;50 \\poli2v1thene\.exe;50 \\poli2v1thenee\.exe;50 \\poli3\.exe;50 \\PoliMom\.exe;50 \\PoliMom1\.exe;50 \\PoliMom14\.exe;50 \\powerkatz\.dll;50 \\printer2\.exe;50 \\printer3\.exe;50 \\proc\.exe;50;(OraCli\\BIN\\proc\.exe|\\[Oo]racle\\) \\Program\.exe;50 \\PROGRAMM\.exe;50 \\ProNewXx\.exe;50 \\puppies\.exe;50 \\puppies1\.exe;50 \\Purchase Order\.exe;50 \\purchase\.exe;50 \\purple\.exe;50 \\QuickPee\.exe;50 \\Radmin\.exe;50 \\RakBot\.exe;50 \\RAKNARKAKA\.exe;50 \\rarkey\.exe;50 \\rarreg\.exe;50 \\RAT\.exe;50 \\rat\.exe;50 \\rat1337\.exe;50 \\ratA\.exe;50 \\ratnik\.exe;50 \\read me\.exe;50 \\rf_login_net\.exe;50 \\RouterFixer\.exe;50 \\RSBot\.exe;50 \\rsbot\.exe;50 \\RSE\.sfx\.exe;50 \\RTF\.exe;50 \\rtf\.exe;50 \\screenshoot\.exe;50 \\se1\.jpg\.exe;50 \\secret\.exe;50 \\secure\.exe;50 \\sex\.exe;50 \\sfsdf\.exe;50 \\Skin\.exe;50 \\skin\.exe;50 \\skins\.exe;50 \\sklquery\.exe;50 \\SkyCat\.exe;50 \\smsniff\.exe;50 \\Sniffer\.jpg\.exe;50 \\Sofia\.exe;50 \\software\.exe;50 \\software\.EXE;50 \\Sources\.exe;50 \\spring\.exe;50 \\Spring\.exe;50 \\squirrelBotLoader\.exe;50 \\stuff\.exe;50 \\suvvr\.exe;50 \\svch\.exe;50 \\svchoot\.exe;50 \\svchost\.com;50 \\svchot\.exe;50 \\svcr\.exe;50 \\svhost\.exe;50 \\svthost\.exe;50 \\swwwchost\.exe;50 \\system\.exe;50 \\System\.exe;50 \\system2\.exe;50 \\System32\.exe;50 \\Systemdll\.exe;50 \\systems\.exe\.exe;50 \\systemUpdate\.exe;50 \\taskgmr\.exe;50 \\taskhcst\.exe;50 \\taskhcst\.jpg;50 \\taskmsgr\.exe;50 \\tasksche\.exe;50 \\temp\.exe;50 \\temp_mload\.exe;50 \\TEMP_MLOAD\.EXE;50 \\tester\.exe;50 \\Testing\.exe;50 \\testupx\.exe;50 \\tlntsvr32\.exe;50 \\tmpanyname\.exe;50 \\TooL\.exe;50 \\tosufd\.exe;50 \\tstmimx\.exe;50 \\txt\.exe;50 \\uio9fo1xy\.exe;50 \\usbscan\.exe;50 \\usuario\.exe;50 \\vasyakatz\.exe;50 \\vnc_scanner_gui\.exe;50 \\wce1\.exe;50 \\wce2\.exe;50 \\wce32\.exe;50 \\wce64\.exe;50 \\wce_1_4\.exe;50 \\wces\.exe;50 \\Win\.exe;50 \\win\.exe;50 \\win10\.exe;50 \\win32\.exe;50 \\Win32\.exe;50 \\Windows\.exe;50 \\windows\.exe;50 \\WINDOWS\.EXE;50 \\WindowsUpdate\.exe;50 \\windowsx86\.exe;50 \\wingay\.exe;50 \\word\.exe;50 \\wsc\.exe;50 \\x86\.exe;50 \\xlsx\.exe;50 \\xSetting\.exe;50 \\xSettings\.exe;50 \\xwk32\.exe;50 \\Youtube\.exe;50 \\YoutubeInstaller\.exe;50 # Malware sample https://goo.gl/FDwDTw AppData\\svchost\.exe;80 # Malware sample https://goo.gl/CX3KaY \\DeviceSync\\m.exe;80 # ClearSky - Winnti Analysis emp\\shell.exe;60 \\video\(20170201\)_2\.exe;100 \\video[\(\)_0-9]{8,10}\.exe;70 \\COMSysAppLauncher\.exe;75 \\715578187~\.exe;100 \\[0-9]{8,9}~\.exe;60 \\conf\.exe;40 # Stuxnet https://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99&tabid=2 \\drivers\\mrxcls\.sys;65 \\drivers\\mrxnet\.sys;65 :\\Copy of Shortcut to\.lnk;65 Windows\\inf\\oem6C\.PNF;65 Windows\\inf\\oem7A\.PNF;65 Windows\\inf\\mdmcpq3\.PNF;65 Windows\\inf\\mdmeric3\.PNF;65 # Ruler Hacktool IOC https://twitter.com/_staaldraad/status/879692824324780033 \\AppData\\Local\\Microsoft\\FORMS\\IPM.Note.[a-z];60 # Agent.BTZ https://goo.gl/1erVLU \\Microsoft\\Windows\\Themes\\termsvr32\.dll;70 \\Microsoft\\Windows\\Themes\\pcasrc\.tlb;70 # FreeMilk Campaign https://goo.gl/NyEioM \\Users\\Admin\\[^\\"]{1,20}\.(vbs|exe|dll|ps1);50 \\Users\\Administrator\\[^\\"]{1,20}\.(vbs|exe|dll|ps1);50 \\Temp\\wsatra\.tmp;65 \\Rar0tmpExtra[0-9]{18}\.rtf;65 # FEIB Heist - BAE Report https://goo.gl/8LbqZ9 \\bitsran\.exe;80 # OilRig Reports https://goo.gl/2DauVi \\mom64\.exe;60 \\Mom64\.exe;60 \\i64\.exe;45 \\S64\.exe;40 \\s64\.exe;40 \\z64\.exe;40 \\O64\.exe;40 \\HTTPParser\.dll;40 # OilRig Report https://goo.gl/oxZm9T \\[Ww]indows\\[Tt]emp\\Exchange\.aspx;60 \\[Ww]indows\\[Tt]emp\\MicrosoftUpdate\.exe;60 # HKDoor Filename IOCs https://goo.gl/KmgtGL C:\\system.txt;40 ystem32\\pifngr\.dll;70 ystem32\\pifmgr\.exe;70 ystem32\\drivers\\kifesEn\.sys;70 ystem32\\drivers\\kifes\.sys;70 \\acluiw\.dll;60 \\cryptuit\.dll;60 \\hkdoordll\.dll;100 # US-CERT TA17-293A https://www.us-cert.gov/ncas/alerts/TA17-293A \\SD\.bat;50 \\Inveigh-Relay\.ps1;70 \\Inveigh\.ps1;70 \\svcsrv\.bat;70 \\ntdll\.exe;50 \\SETROUTE\.lnk;70 \\ASREPRoast\.ps1;70 \\Get-GPPPassword\.ps1;70 \\Invoke-Kerberoast\.ps1;70 \\mk64\.zip;50 \\ms\.ps1;50 \\PowerView\.ps1;70 \\pps\.bat;50 \\pps\.exe;50 \\scr\.exe;70 \\upd\.bat;50 \\~1171694\.dll;70 \\httpconf\.aspx;50 \\zervit32;70 \\Chromex64\.exe;50 \\enu\.cmd;70 # Sofacy Campaign http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html \\AppData\\netwf\.dll;80 \\AppData\\netwf\.bat;80 \\Conference_on_Cyber_Conflict\.doc;80 # ROKRAT http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html \\ProgramData\\HncModuleUpdate\.exe;100 # Mimikatz https://adsecurity.org/?page_id=1821#MISCMemSSP \\mimilsa\.log;100 # Suspicious Script or Executable in Public Users Folder https://twitter.com/JohnLaTwC/status/957703902039691265 \\Users\\Public\\Documents\\[^\\"]{1,20}\.(exe|vbs|ps1|dll|bat)$;60 # APT32 Continues ASEAN Targeting https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting \\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt\.dll;70 \\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1CD60\.db;80 # Sofacy Activity Feb 18 https://goo.gl/UUfYBc AppData\\Local\\cdnver\.dll;90 # Middle East Campaign http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html \\AppData\\Roaming\\sys\.ps1;100 \\AppData\\Local\\4s\.exe;100 # Turla Mosquito https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf AppData\\Local\\kb6867\.bin;80 AppData\\Roaming\\kb6867\.bin;80 # Sofacy Activity https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ \\AppData\\Local\\cdnver\.dll;100 \\AppData\\Local\\cdnver\.bat;100 # FinFisher https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/ \\ProgramData\\AuditApp\\d3d9\.dll;85 \\wsecedit\.rar;80 # NSA report https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/ \\atmarpd.sys;65 ystem32\\driver32\\ldf\\;50 \\syswpsvc\.sys;65 ystem32\\ipmontr.exe;80 ystem32\\ipconfhlp.dll;80 ystem32\\internat32.exe;80 ystem32\\sbool\\msadp32.exe;80 ystem32\\Internat.dll;80 ystem32\\s7otbxsx.dll;80 \\Windows\\inf\\mdmcpq3.inf;80 \\mrxcls\.sys;60 \\mrxnet\.sys;60 \\s7otbxsx\.sys;60 \\s7otbxdxa\.sys;60 \\jmidebs\.sys;60 \\jmidebs\.sys;60 \\micfosoft shared\\;60 \\Program Files\\Common Files\\microsoft shared\\mssecuritymgr\\;55 \\Program Files\\Common Files\\microsoft shared\\MSAPackages\\;55 \\Windows\\System32\\icsvnt32.dll;65 \\utilman32.exe;65 \\utliman32.exe;65 \\ups32.exe;65 \\Windows\\System32\\drivers\\ups.exe;65 \\w3ssl\.sys;60 ystem32\\winview.ocs;65 ystem32\\Mfc42l00.pdb;65 ystem32\\ISUninst.bin;65 ystem32\\mswmpdat.tlb;65 ystem32\\wmmini.swp;65 ystem32\\wowmgr.exe;65 \\Windows\\winstat.pdr;65 \\msserv\.exe;60 ystem32\\taskbar\.exe;60 ystem32\\sed\.exe;60 \\drivers\\slidebar.exe;80 \\SndTray.exe;70 \\appdata1\\logFile.txt;70 \\MyHood\\btmn\\system\\temp\\cnf.txt;90 \\012tg7\\system\\cnf.txt;80 ystem32\\tlbcon32.exe;65 ystem32\\con32.nls;65 ystem32\\indsvc32.ocx;65 \\Windows\\temp\\indsvc32.ocx;65 ystem32\\secur16.dll;65 ystem32\\SECUR16.DLL;65 ystem32\\EXPLORED.DLL;65 ystem32\\HDBACK4.DLL;65 ystem32\\CFGKRNL3.DLL;65 \\ndisalex\.sys;60 \\ndisio32\.sys;60 \\paravdm\.sys;60 \\AppData\\msncp.exe;80 \\AppData\\netsvc.exe;80 ystem32\\msprnt\.exe;70 ystem32\\fmem\.dll;70 \\Triedit\\dhtmled.dll;70 \\Triedit\\TRIEDIT.TLB;70 \\ntdos505.sys;70 \\triedit.sys;80 ystem32\\nsecm\.dll;65 \\nsecm\.sys;65 \\All Users\\update.msi;80 \\All Users\\Application Data\\update.msi;80 \\Public\\update.msi;80 \\AppData\\update.msi;80 \\ProgramData\\MSI\\update.msi;80 \\Common Files\\wusvcd.exe;70 \\Common Files\\wusvcd\\wusvcd.exe;70 \\temp\\temp56273.pdf;75 \\drivers\\mfc64comm.sys;75 \\drivers\\adap64info.sys;75 \\Application Data\\winver32.exe;100 \\AppData\\winver32.exe;100 ystem32\\boof\.sys;65 \\Local Settings\\Temp\\Acrobat.dll;65 \\Local Settings\\Temp\\first.tmp;65 Windows\\qtlib.sqt;80 Windows\\zl4vq.sqt;80 Windows\\dfrgntfs5.sqt;80 Windows\\msvcrt58.sqt;80 ystem32\\ieloader.dll;80 ystem32\\orepst.dll;80 ystem32\\msdxofg.dll;60 ystem32\\ocmsiecon.hlp;60 ystem32\\atllib.dll;60 \\ndisxapi.sys;60 Windows\\temp\\~MS1E.tmp$;60 Windows\\temp\\~FMIFEN.tmp;60 ystem32\\wpa.dbl.bak;80 ystem32\\sslkey.exe;80 \\Windows\\WindowsUpdate.old\\;55 \\adpu321.sys;60 \\hpnd5x86.sys;60 \\igdkmd16b.sys;60 \\msgdi32.sys;60 \\ntrbos.sys;60 \\qd240x86.sys;60 \\qd260x86.sys;60 \\Windows\\godown.dll;80 ystem32\\godown.dll;80 ystem32\\winns.exe;65 ystem32\\kbdarpe.dll;65 Windows\\winns.exe;65 Windows\\kbdarpe.dll;65 \\AppData\\Local\\Help\\system32\\cryptapi32.dll;65 ystem32\\mtmon.sdb;65 \\Windows\\mtmon.sdb;65 ystem32\\rasmgr.dll;65 \\Windows\\rasmgr.dll;65 ystem32\\raseap.dll;65 \\Windows\\raseap.dll;65 \\Windows\\AppPatch\\rasmain.sdb;85 \\Common Files\\System\\ado\\msado29.tlb;80 \\Common Files\\System\\ado\\msado39.tlb;80 \\svshost.exe;80 ystem32\\Microsoft\\Protect\\Windows\\svchost.exe;80 # TA18-074A https://www.us-cert.gov/ncas/alerts/TA18-074A \\Temp\\scr\.exe;80 \\Temp\\scr\.jpg;80 \\completed_dclist\.txt;70 \\conditional_forwarders\.txt;70 \\admins\.txt$;45 \\dirsb\.bat;60 # PrivEsc Tools https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Privilege%20Escalation%20%26%20Post-Exploitation.md \\evilmaid\.py;80 \\LinEnum\.sh;80 \\Linux_Exploit_Suggester\.pl;80 \\adsecretsdump\.py;80 \\dump\.ps1;80 \\Invoke-SMBExec\.ps1;80 \\Invoke-TheHash\.ps1;80 \\Invoke-WCMDump\.ps1;80 \\Invoke-WMIExec\.ps1;80 \\nps_payload\.py;80 \\autodane\.py;80 \\Babadook\.ps1;80 \\beRoot\.exe;80 \\kernelpop\.py;80 \\LAPSToolkit\.ps1;80 \\lsadomaindump\.py;80 \\MSFRottenPotato\.exe;80 \\pompem\.py;80 \\PowerLine\.exe;80 \\PowerOps\.exe;80 \\Powershdll\.exe;80 \\psgetsys\.ps1;80 \\PSReflect\.psm1;80 \\SmashedPotato\.exe;80 \\RemotePotato0\.exe;85 # Comnie campaign https://goo.gl/jrjPzj \\AppData\\Local\\wscript.exe;100 \\AppData\\Roaming\\wscript.exe;100 # Agent.BTZ https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified \\AppData\\Local\\Microsoft\\credprov.tlb;90 \\AppData\\Local\\Microsoft\\shdocvw.tlp;90 \\AppData\\Roaming\\Microsoft\\credprov.tlb;90 \\AppData\\Roaming\\Microsoft\\shdocvw.tlp;90 # NCCGroup Ghost Report https://goo.gl/i3prxY \\Updateproxy\.dll;60 \\Noodles\.exe;70 \\Coal\.exe;70 \\23d\.exe;70 \\89d\.exe;70 # Orange Worm https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia \\Windows\\inf\\mkdiawb3\.PNF;65 \\Windows\\inf\\mtmndkb32\.PNF;65 \\Windows\\inf\\digirps\.PNF;65 \\Windows\\inf\\e11\.PNF;65 # Malicious sample https://app.any.run/tasks/b8f0a5d3-343f-47e2-b287-abbba9174d2a \\AppData\\Local\\Temp\\HelperNT\.txt;80 \\AppData\\Local\\Temp\\HelperNT\.cab;80 \\AppData\\Local\\Temp\\Gameover\.php;100 # RedLeaves Hogfish Threat Analysis https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf \\Temp\\AYRUNSC\.exe;80 \\Temp\\PTL\.AYM;80 \\Startup\\GppiTEMms\.lnk;100 \\Startup\\EaahLDRej\.lnk;100 \\Startup\\BnorTEPkh\.lnk;100 # File names found in Alina PoS malware https://goo.gl/xgFtwr \\icsicli\.exe;45 \\zcopy\.exe;45 \\RcpPing\.exe;45 \\sthc\.exe;45 \\certutils\.exe;45 \\upnpcnt\.exe;45 \\systkey\.exe;45 \\ktmutils\.exe;45 \\findstg\.exe;45 \\appidt\.exe;45 \\autoch\.exe;45 \\TmpInit\.exe;45 \\winrcs\.exe;45 \\dxtdiag\.exe;45 \\wmusa\.exe;45 \\sbdinst\.exe;45 \\bcastdvs\.exe;45 \\WAWHost\.exe;45 \\OneDriveUi\.exe;45 \\fontdvrhost\.exe;45 \\tmcsetup\.exe;45 \\esentut\.exe;45 \\hdwiz\.exe;45 \\dcmcnfg\.exe;45 \\gscript\.exe;45 \\ntlookup\.exe;45 \\wxtract\.ex;45 # QRAT https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ \\qrat\.exe;70 \\microsoft_network\.exe;80 # LuckyMouse report https://securelist.com/luckymouse-hits-national-data-center/86083/ \\Windows\\pcawhere\\thinprobe\.exe;100 \\Windows\\pcawhere\\thinhostprobedll\.dll;100 \\Windows\\pcawhere\\config\.ini;100 \\ProgramData\\pcawhere\\thinprobe\.exe;100 \\ProgramData\\pcawhere\\thinhostprobedll\.dll;100 \\ProgramData\\pcawhere\\config\.ini;100 # Adwind JRAT \\AppData\\Roaming\\Oracle\\bin\\javaw\.exe;75 \\AppData\\Roaming\\Oracle\\bin\\java\.exe;75 \\AppData\\Local\\Temp\\Retrive[0-9]{18,19}\.vbs;100 \\AppData\\Oracle\\bin\\javaw\.exe;60 \\AppData\\Roaming\\Oracle\\javaw\.exe;80 # Insikt Report https://www.recordedfuture.com/chinese-cyberespionage-operations/ /usr/bin/ext4;70 # Turla Outlook Backdoor https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/ \\Microsoft\\Windows\\scawrdot\.db;100 \\Microsoft\\Windows\\flobcsnd\.dat;100 \\mapid\.tlb;60 \\cbmsfgrc\.dat;60 \\mswmpdat\.tlb;60 # Lazarus - Operation Applejeus https://securelist.com/operation-applejeus/87553/ :\\Recovery\\msn\.exe;80 :\\Recovery\\msndll\.log;80 \\Windows\\msn\.exe;80 ystem32\\uploadmgrsvc\.dll;80 ystem32\\uploadmgr\.dat;80 # Suspicious File Name and Location \\ProgramData\\[^\\"]{1,20}\.sct;65 \\ProgramData\\DefenderNT\\[^\\"]{1,20}\.vbs;65 \\ProgramData\\FirefoxSDK\\[^\\"]{1,20}\.vbs;65 \\ProgramData\\WindowsNT\\[^\\"]{1,20}\.vbs;65 # MuddyWater Filename IOC https://securelist.com/muddywater/88059/ \\ProgramData\\WindowsNT\\WindowsNT\.ini;60 \\ProgramData\\SYSTEM32SDK\\ConfManagerNT\.vbs;60 \\ProgramData\\SYSTEM32SDK\\ProjectConfManagerNT\.ini;60 \\System32\\Tasks\\Microsoft\\WindowsDefenderUpdater;60 \\System32\\Tasks\\Microsoft\\MicrosoftOneDrive;60 \\System32\\Tasks\\Microsoft\\WindowsDifenderUpdate;60 \\System32\\Tasks\\Microsoft\\WindowsSystem32SDK;60 \\System32\\Tasks\\Microsoft\\WindowsDefenderSDK;60 \\System32\\Tasks\\Microsoft\\WindowsMalwareDefenderSDK;60 \\System32\\Tasks\\Microsoft\\WindowsMalwareByteSDK;60 # Cold River report https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/ \\\.oracleServices\\Configure\.txt;100 \\\.oracleServices\\svshost_serv\.doc;100 \\\.oracleServices\\svshost_serv\.exe;100 # NTDS.DIT in uncommon location https://blog.stealthbits.com/extracting-password-hashes-from-the-ntds-dit-file/ [^s2S]\\ntds.dit;60;WinSxS # MAL HWP Incident Feb 19 https://sfkino.tistory.com/73 \\Local\\Temp\\HimTray\.dll;75 # AUS Parliament incident https://twitter.com/cyb3rops/status/1097423665472376832 \\LuckyCat\.dll;80 \\LuckyCat\.exe;80 \\AppData\\Local\\Microsoft\\mm\.accdb;80 \\AppData\\Roaming\\Microsoft\\mm\.accdb;80 # Suspicious Indicators - Skript in Windows Folder C:\\Windows\\[^\\"]{1,20}\.(js|ps1|vbs);50 # Turla Malware macOS https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/ /Library/Scripts/queue;80 /Library/Scripts/installdp;80 /Library/Scripts/installd.sh;80 /Library/LaunchDaemons/com.adobe.update.plist;80 # Turla Snake Malware https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ \\Users\\Public\\iCore\.dat;100 # LYCEUM Campaign https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign \\Public\\PublicLib\\k1\.ps1;100 \\Decrypt-RDCMan\.ps1;80 \\Get-LAPSP\.ps1;70 # Suspicious Files in Root of Recycle.Bin :\\\$Recycle\.Bin\\[^\\"]{1,20}\.(exe|vbs|ps1|js\b|bat|dll);85 # Stealth Falcon Filename IOC https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/ \\ImageIndexer\.dll;80 \\WindowsSearchCache\.dll;80 \\JavaUserUpdater\.dll;80 # TortoiseShell report https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain \\Windows\\temp\\rconfig\.xml;80 \\Windows\\temp\\bak\.exe;80 \\Sha432\.exe;100 \\stereoversioncontrol\.exe;80 \\get-logon-history\.ps1;75 # Emotet Indicator https://app.any.run/tasks/fb5d3877-4179-4bb8-aea4-1cff3a4793ed/ \\msptermsizes\\msptermsizes\.exe;90 :\\Users\\[^\\"]{1,16}\\[0-9]{1,4}\.exe;65 # LSASS process memory dump names \\lsass\.(dmp|DMP);80 \\lsass\.zip;80 \\lsass\.7z;80 \\lsass\.rar;80 \\lsass[_0-9\-\.]{1,2}\.(dmp|DMP);80 \\lsass[_0-9\-\.]{1,2}\.zip;80 \\lsass[_0-9\-\.]{1,2}\.7z;80 \\lsass[_0-9\-\.]{1,2}\.rar;80 \\lsass\.exe[_0-9]{0,15}\.(dmp|zip|rar|DMP);80 \\dumpert\.dmp;80 \\Andrew\.dmp;80 \\Coredump\.dmp;80 \\lsassdump;65 \\lsassdmp;65 \\lsass_2;65 # Procdump Default Output File Suffix \\[^\\]{3,30}_[123][0-9][01][0-9][0-3][0-9]_[0-2][0-9][0-5][0-9][0-5][0-9]\.dmp$;60 # Suspicious Extension in AppPatch folder c:\\windows\\AppPatch\\[^\\"]{1,20}\.(exe|vbs|ps1|bat);70 c:\\windows\\AppPatch\\custom\\[^\\"]{1,20}\.(exe|vbs|ps1|bat);70 # MESSAGETAP components https://twitter.com/cglyer/status/1182415016542248960/photo/1 \\keyword_param\.txt;70 # TeamViewerPortable - probably a policy violation https://portableapps.com/apps/utilities/teamviewer_portable \\TeamViewerPortable;60 # OceanLotus / APT32 filename IOCs \\ProgramData\\Microsoft Help\\[^\\"]{1,20}\.(exe|bat|vbs|ps1);80 # Suspicious Indicators - Skript in Windows Folder C:\\Windows\\[^\\"]{1,20}\.(js|ps1|vbs);50 # Emotet Indicator https://app.any.run/tasks/fb5d3877-4179-4bb8-aea4-1cff3a4793ed/ \\msptermsizes\\msptermsizes\.exe;90 :\\Users\\[^\\"]{1,16}\\[0-9]{1,4}\.exe;65 # AVIVORE IOCs https://www.contextis.com/en/blog/avivore c:\\iperf\-2.0.5-3-win32\\[^\\"]{1,20}\.(exe|vbs|ps1|bat);85 c:\\perflogs\\admin\\[^\\"]{1,20}\.(exe|vbs|ps1|bat);85 c:\\programdata\\esetoem\\[^\\"]{1,20}\.(exe|vbs|ps1|bat);80 c:\\programdata\\mcafeeoem\\[^\\"]{1,20}\.(exe|vbs|ps1|bat);80 c:\\temp\\gen_py\\[^\\"]{1,20}\.(exe|vbs|ps1|bat);70 \\acres64.exe;70 \\AcWinRT.exe;70 \\apihex.exe;70 \\apihex64.exe;80 \\apihex6464.exe;90 \\Mimikatz.exe;90 \\pro64.exe;60 \\te.vbs;60 # Tick Group - Operation ENDTRADE report https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/ \\taskhast\.exe;85 \\taskma\.exe;70 \\svchdst\.exe;85 \\lemstsc\.exe;70 \\winlogan\.exe;75 \\schost\.exe;80 \\FortiAvat\.exe;70 # APT34 OilRig report https://www.ibm.com/downloads/cas/OAJ4VZNJ \\saddrv\.sys;70 :\\Users\\Public\\Public Updates\\;65 :\\Windows\\Temp\\UpdateTemp\\;55 \\ClientUpdate\.exe;40 \\Soy\.exe;70 \\ClientUpdateCore\.ps1;80 \\GPOClientUpdateCore\.ps1;80 \\ClientUpdate\.ps1;70 \\x86\\elrawdsk\.sys;60 # Lazarus macOS malware https://objective-see.com/blog/blog_0x51.html /Library/UnionCrypto/unioncryptoupdater;85 /Library/LaunchDaemons/.vip.unioncrypto.plist;90 /Library/UnionCrypto/.unioncryptoupdater;90 # BRONZE PRESIDENT Filename IOCs https://www.secureworks.com/research/bronze-president-targets-ngos :\\Windows\\Help\\Help\\[^\\"]{1,20}\.(exe|vbs|ps1|bat|dll);80 :\\Windows\\debug\\WIA\\[^\\"]{1,20}\.(exe|vbs|ps1|bat|dll);80 :\\Windows\\Logs\\DPX\\[^\\"]{1,20}\.(exe|vbs|ps1|bat|dll);80 :\\Recovery\\[^\\"]{1,20}\.(exe|vbs|ps1|bat|dll);80 :\\Windows\\Temp\\system\.hive;80 # OilRig filename IOCs campaign Feb 2020 https://app.any.run/tasks/61de5d96-e812-42f8-8884-3d63a510601b/ ublic\\.Monitor\\monitor\.xls;90 ublic\\.Monitor\\monitor\.exe;90 ublic\\.Monitor\\e\.txt;90 ublic\\.Monitor\\ews\.conf;90 # Turla IOCs https://github.com/eset/malware-ioc/tree/master/turla#turla-powershell-indicators-of-compromise \\Public\\iCore\.dat;90 \\msctx\.ps1;80 \\Users\\Public\\Documents\\desktop\.db;75 # Turla report https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/ \\Temp\\winhost\.exe;70 \\Temp\\adobe\.exe;70 # Vicious Panda - COVID campaign https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ \\Microsoft\\Word\\STARTUP\\intel\.wll;90 \\ppdown\.dll;60 \\Rundll32Templete\.dll;60 \\minisdllpub\.dll;60 # WildPressure Report https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/ \\Milum46_Win32\.exe;100 \\system32\.exe;90 # XHunt Filename IOCs https://www.sans.org/webcasts/113525 :\\mydump\.dmp;80 # Attacks on Academic Data Centers https://csirt.egi.eu/academic-data-centers-abused-for-crypto-currency-mining/ /apps/\.ior/read/\.terma;80 /apps/\.ior/read/\.termb;80 /etc/fonts/\.fonts;80 /etc/fonts/\.low;80 /etc/terminfo/\.terma;80 /etc/terminfo/\.termb;80 /\.mozilla/plugins/\.fonts;80 /\.mozilla/plugins/\.low;80 /\.mozilla/plugins/\.aa;80 /\.mozilla/plugins/test;80 /usr/lib64/\.lib/l64;80 /var/games/\.terma;80 /var/games/\.termb;80 /tmp/aes\.tgz;70 /tmp/reserved;50 /tmp/systemdb;50 /tmp/updatedb;50 /tmp/check_power;50 /tmp/hdshare;50 /tmp/readps;60 /usr/bin/on_ac_power ;70 /usr/lib/libocs.so ;70 /usr/lib64/\.lib/l64;70 /usr/share/aldi\.so;70 /usr/share/sos/;70 /usr/share/sos/rh\.pub;70 /usr/share/sos/rh\.pub;70 /var/tmp/\.lock/clogs;70 /var/tmp/\.lock/cpa.h;70 /var/tmp/\.lock/ologs;70 /wlcg/arc-ce1/cache/\.cache;80 # Turla Kazuar Malware IOCs https://www.epicturla.com/blog/sysinturla \\dbgsview\.exe;60 \\DebugView\.exe;40 \\adflctlmon\.exe;85 \\PSExtendPrivacy\.exe;85 # Sandworm IOCs https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf \\sshkey\.php;80 /etc/opt/init-file\.txt;80 # Evilnum Report https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ \\AppData\\Local\\Microsoft\\Mediia\\;90 \\Users\\Public\\Public Documents\\57494E2D3850535046373333503532\\;100 \\AppData\\Local\\Microsoft\\policy\\;75 \\AppData\\Local\\Microsoft\\Windows\\Explore\\;75 \\AppData\\Localpolicy\\;70 \\AppData\\Local\\microsoft\\windows\\explorer\\iconcache_2048\.db;90 \\Microsoft\\Credentials\\MediaPlayer\\MediaManager\\media\.js;80 # Suspicious cmd.exe Location https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a :\\temp\\cmd\.exe;50 # Taidoor malware location https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a :\\ProgramData\\Microsoft\\~svc_\.TMp;100 \\svchost\.dll;70 # FireEye Solarwinds SUNBURST Report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html and https://cyber.dhs.gov/ed/21-01/ \\gracious_truth\.jpg;90 \\SolarWinds-Core-v2019.4.5220-Hotfix5\.msp;90 \\Windows\\SysWOW64\\netsetupsvc\.dll;90 # Symantec SUNBURST Report https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds \\upbeat_anxiety\.jpg;80 \\csidl_windows\\desktoptileresources\\resources\.dll;70 # Symantec SUNBURST Report - Panther folder should only contain log files and files of type *.xml, *.sdb, *.tmp, *.etl, *.ini, *.cab or *.que https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds :\\Windows\\Panther\\[^\\"]{1,20}\.(exe|dll|ps1|vbs|bat)$;70;\\setup\.exe # Lazarus Campaigns https://www.hvs-consulting.de/lazarus-report/ :\\ProgramData\\IBM\\IBM\.dat;90 :\\ProgramData\\Kagent\.exe;90 \\bnotices\.php;60 :\\ProgramData\\FreePDF\\ntuser\.bat;90 :\\ProgramData\\gather\.bat;90 :\\ProgramData\\IBM\\ntuser\.bat;90 :\\ProgramData\\Intel\\DAL\\ntuser\.bat;90 :\\ProgramData\\USOShared\\uso\.bat;90 :\\RECYCLER\\rclc\.bat;90 :\\ProgramData\\comms\\gather\.bat;90 :\\ProgramData\\gat\.bat;90 :\\ProgramData\\comms\.bat;90 \\BoeingPDF\.exe;90 \\BoeingPDF\.iso;90 :\\RECYCLER\\~DF011\.DAT;90 :\\ProgramData\\UniqueId\\~DF234\.TMP;90 :\\ProgramData\\IBM\\IBM122\.DAT;90 :\\RECYCLER\\~DF012\.TMP;90 :\\solr\\~DF010\.TMP;90 :\\ProgramData\\gom\\gom_3d\.dat;90 \\BAE_FMV_SOF\.docx;90 \\Boeing_Defense_PM\.docx;90 \\Boeing_GS\.docx;90 \\Boeing_Spectrolab\.docx;90 :\\ProgramData\\IBM\\SearchProtocol\.exe;90 :\\Windows\\system32\\Drivers\\pssdk-proto\.sys;90 \\VirtualStore\\ProgramData\\ssh\\putty\.io;90 :\\ProgramData\\~DF565\.TMP;90 :\\ProgramData\\comms\.io;90 :\\ProgramData\\Comms\\comms\.io;90 :\\ProgramData\\Git\\GitClone\.db;90 :\\ProgramData\\Intel\\cache\.io;90 :\\ProgramData\\Microsoft\\MSSqlite3DB\.evt\.pol\.dat;90 :\\ProgramData\\ThumbNail\\thumbnail\.db;90 :\\ProgramData\\Windows\\ntuser\.dat;90 :\\Users\\Public\\FontCache\.dat;90 \\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\GitClone\.lnk;90 \\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\NavCache\.lnk;90 \\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MSPolicy\.lnk;90 :\\ProgramData\\ntusers\.pool;90 :\\ProgramData\\IBM\\igfxmnr\.exe;90 :\\ProgramData\\Intel\\DAL\\igfxmnr\.exe;90 :\\ProgramData\\Wagent\.exe;90 :\\ProgramData\\IBM\\~df099\.dat;90 :\\ProgramData\\Intel\\DAL\\~TMP015\.DAT;90 :\\ProgramData\\Intel\\DAL\\~TMP123\.DAT;90 :\\ProgramData\\Microsoft\\DeviceSync\\DeviceCaches\.DMP;90 :\\ProgramData\\ntuser\.io;90 :\\ProgramData\\ssh\\ssh_tmp088\.tmp;90 :\\ProgramData\\USOShared\\USO\.TMP;90 :\\RECYCLER\\~TMP\.0312\.bin;70 :\\users\\public\\~df098\.tmp;90 \\chromeviewer\.exe;70 :\\Windows\\sam\.txt;90 :\\ProgramData\\IBM\\IBM011\.BIN;90 :\\ProgramData\\Cisco\\CAGT\.EXE;90 :\\ProgramData\\gom\\gom_3d\.exe;90 \\AppData\\Local\\ntuser\.log1;90 :\\ProgramData\\FreePDF\\~df088\.dat;90 :\\ProgramData\\FreePDF\\~df099\.dat;90 :\\ProgramData\\FreePDF\\~df456\.dat;90 :\\ProgramData\\FreePDF\\~df456\.tmp;90 :\\ProgramData\\FreePDF\\~df565\.tmp;90 :\\ProgramData\\FreePDF\\DF033\.TMP;90 :\\ProgramData\\FreePDF\\DF080\.TMP;90 :\\ProgramData\\FreePDF\\DF234\.TMP;90 :\\ProgramData\\FreePDF\\DF343\.TMP;90 :\\ProgramData\\FreePDF\\DF435\.TMP;90 :\\ProgramData\\FreePDF\\DF565\.TMP;90 :\\ProgramData\\Intel\\NavCache\.io;90 :\\ProgramData\\itp11\\cache3_5001238963-ENC\.cache;90 :\\ProgramData\\itp11\\cache3_5001238964-ENC\.cache;90 :\\ProgramData\\Microsoft\\DeviceSync\\Deviceinc\.db;90 :\\ProgramData\\Microsoft\\DeviceSync\\Devicemdb\.db;90 :\\ProgramData\\Microsoft\\DeviceSync\\Devicestg\.db;90 :\\ProgramData\\Microsoft\\DeviceSync\\Devicestg\.db;90 :\\ProgramData\\Microsoft\\DeviceSync\\DF235\.TMP;90 :\\ProgramData\\Microsoft\\DeviceSync\\DF333\.TMP;90 :\\ProgramData\\Microsoft\\DeviceSync\\gather\.bat;90 :\\ProgramData\\USOShared\\pkg\.db;90 :\\Windows\\System32\\srservice\.dll;90 :\\Windows\\System32\\srsvc\.dll;90 :\\ProgramData\\Cisco\\Client\.exe;90 :\\ProgramData\\cookie\.dat;90 :\\ProgramData\\Intel\\cache\.exe;90 :\\ProgramData\\Intel\\DAL\\~TMP323\.DAT;90 :\\ProgramData\\Intel\\iCLS\.exe;90 :\\ProgramData\\Intel\\SearchProtocol\.bin;90 :\\ProgramData\\UAgent\.exe;90 :\\ProgramData\\UIU\\ui\.exe;90 :\\ProgramData\\USOShared\\~DF099\.DAT;90 :\\Users\\Public\\DF090\.TMP;70 :\\Windows\\System32\\pchsvc\.dll;90 \\GD1029581823\.docx;90 \\InternalPDFViewer\.exe;70 \\~DF[A-Fa-f0-9]{3,4}\.(tmp|TMP|dat|DAT|txt|TXT|bat|BAT|bin|BIN)$;60 \\FOUND[0-9]{3,3}\.CHK$;60 \\IBM[0-9]{3,3}([A-Za-z]{1,3}[0-9]?)?\.(bin|BIN|dat|DAT|bat|BAT)$;60;perl \\IBM[A-Z][0-9]{3,3}\.(bin|BIN|dat|DAT|bat|BAT)$;60 # Sunburst Filename IOCs CobaltStrike Loader :\\Windows\\ms\\sms\sms\.dll;90 :\\Windows\\Microsoft\.NET\\Framework64\\sbscmp30\.dll;90 :\\Windows\\AUInstallAgent\\auagent\.dll;90 :\\Windows\\apppatch\\apppatch64\\sysmain\.dll;90 :\\Windows\\Vss\\Writers\\Application\\AppXML\.dll;90 :\\Windows\\PCHEALTH\\health\.dll;90 :\\Windows\\Registration\\crmlog\.dll;90 :\\Windows\\Cursors\\cursrv\.dll;90 :\\Windows\\AppPatch\\AcWin\.dll;90 :\\Windows\\CbsTemp\\cbst\.dll;90 :\\Windows\\AppReadiness\\Appapi\.dll;90 :\\Windows\\Panther\\MainQueueOnline\.dll;90 :\\Windows\\AppReadiness\\AppRead\.dll;90 :\\Windows\\PrintDialog\\PrintDial\.dll;90 :\\Windows\\ShellExperiences\\MtUvc\.dll;90 :\\Windows\\PrintDialog\\appxsig\.dll;90 :\\Windows\\DigitalLocker\\lock\.dll;90 :\\Windows\\assembly\\GAC_64\\MSBuild\\3.5.0.0__b03f5f7f11d50a3a\\msbuild\.dll;90 :\\Windows\\Migration\\WTR\\ctl\.dll;90 :\\Windows\\ELAMBKUP\\WdBoot\.dll;90 :\\Windows\\LiveKernelReports\\KerRep\.dll;90 :\\Windows\\Speech_OneCore\\Engines\\TTS\\en-US\\enUS.Name\.dll;90 :\\Windows\\SoftwareDistribution\\DataStore\\DataStr\.dll;90 :\\Windows\\RemotePackages\\RemoteApps\\RemPack\.dll;90 :\\Windows\\ShellComponents\\TaskFlow\.dll;90 # NK Campaign Against Security Researchers https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ :\\ProgramData\\USOShared\\uso\.bin;100 :\\ProgramData\\VMware\\vmnat-update\.bin;100 :\\ProgramData\\VirtualBox\\update\.bin;100 # Lazarus malware IOCs - Microsoft report on Zinc https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/ :\\ProgramData\\USOShared\\USOShared\.dat;90 :\\Windows\\System32\\helpsvc\.sys;95 :\\Windows\\System32\\Irmon\.sys;95 :\\Windows\\System32\\LogonHours\.sys;95 :\\Windows\\System32\\Ntmssvc\.sys;95 :\\Windows\\System32\\NWCWorkstation\.sys;95 :\\Windows\\System32\\Nwsapagent\.sys;95 :\\Windows\\System32\\PCAudit\.sys;95 :\\Windows\\System32\\uploadmgr\.sys;95 :\\ProgramData\\USOShared\\[a-zA-Z_]{2,16}\.(bin|db|cpl)$;65 :\\ProgramData\\Adobe\\[a-zA-Z_]{2,16}\.(bin|db|cpl)$;65 :\\ProgramData\\Mozilla\\[a-zA-Z_]{2,16}\.(bin|db|cpl)$;65 :\\ProgramData\\NVIDIA\\[a-zA-Z_]{2,16}\.(bin|db|cpl)$;65 :\\ProgramData\\Oracle\\[a-zA-Z_]{2,16}\.(bin|db|cpl)$;65 :\\ProgramData\\VirtualBox\\[a-zA-Z_]{2,16}\.(bin|db|cpl)$;65 :\\MSCache\\msomui\.dat;80 :\\MSCache\\local\.cpl;80 :\\ProgramData\\ntuser\.db;80 :\\ProgramData\\ntuser\.ini;80 :\\ProgramData\\taskhost\.exe;80 :\\ProgramData\\Adobe\\get\.exe;80 :\\ProgramData\\Adobe\\ARM\\AdobeUpdate\.exe;80 :\\ProgramData\\Mozilla\\update\.bin;80 :\\ProgramData\\NVIDIA\\graphicscheck\.exe;80 :\\ProgramData\\NVIDIA\\NVIDIA\.bin;80 :\\ProgramData\\Oracle\\java\.db;80 :\\ProgramData\\Oracle\\java\.cpl;80 :\\ProgramData\\USOShared\\Search\.bin;80 :\\Windows\\netsvc\.exe;80 :\\Windows\\system32\\kjchost\.dll;80 :\\Windows\\System32\\traextapi\.dll;80 :\\Windows\\System32\\healthextapi\.dll;80 :\\Windows\\System32\\detaextapi\.dll;80 :\\Windows\\Temp\\ads\.tmp;80 :\\windows\\Temp\\CA_Root\.pfx;80 :\\Recovery\\recover\.bin;80 :\\Recovery\\re\.bin;80 # IOCs from Sandworm Centreon Report by CERTFR https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf /tmp/.applocktx;100 /tmp/.applock$;80 /usr/local/centreon/www/search.php;90 /usr/share/centreon/www/search.php;80 /usr/share/centreon/www/modules/Discovery/include/DB−Drop.php;100 /usr/share/centreon/www/htmlHeader.php;80 /configtx\.json;80 # Archive in suspicious folder https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ :\\ProgramData\\[\w]{1,6}\.(zip|7z|rar)$;40 # Typical Webshell Names https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ \\xx\.aspx$;60 \\shell\.aspx$;50 # HAFNIUM IOCs https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ \\inetpub\\wwwroot\\aspnet_client\\[^\\"]{1,20}\.aspx;90 \\inetpub\\wwwroot\\aspnet_client\\[^\\"]{1,20}\\[^\\"]{1,20}\.aspx;90 \\FrontEnd\\HttpProxy\\ecp\\auth\\[^T];70 \\FrontEnd\\HttpProxy\\owa\\auth\\Current\\[^\\"]{1,20}\.aspx;90 \\FrontEnd\\HttpProxy\\owa\\auth\\Current\\[^\\"]{1,20}\\[^\\"]{1,20}\.aspx;90 \\FrontEnd\\HttpProxy\\owa\\auth\\[0-9\.]{6,12}\\[^\\"]{1,20}\.aspx;90 # Exchange Exploitation - Web Shell Filename IOCs https://twitter.com/ESETresearch/status/1366862953006452738?s=20 \\inetpub\\wwwroot\\aspnet_client\\system_web\\(shell\.aspx|supp0rt\.aspx|aspnet\.aspx|aspnet_client\.aspx|client\.aspx|OutlookEN\.aspx);80 # China Chopper file names provided by Huntress Labs https://gist.github.com/JohnHammond/0b4a45cad4f4ed3324939d72dc599883 \\inetpub\\wwwroot\\aspnet_client\\discover\.aspx;85 \\inetpub\\wwwroot\\aspnet_client\\supp0rt\.aspx;85 \\inetpub\\wwwroot\\aspnet_client\\HttpProxy\.aspx;85 \\inetpub\\wwwroot\\aspnet_client\\shell\.aspx;85 \\inetpub\\wwwroot\\aspnet_client\\system_web\\error\.aspx;85 \\inetpub\\wwwroot\\aspnet_client\\OutlookEN\.aspx;85 \\inetpub\\wwwroot\\aspnet_client\\aspnettest\.aspx;85 \\inetpub\\wwwroot\\aspnet_client\\shellex\.aspx;85 \\inetpub\\wwwroot\\aspnet_client\\errorcheck\.aspx;85 \\inetpub\\wwwroot\\aspnet_client\\t\.aspx;85 \\inetpub\\wwwroot\\aspnet_client\\system_web\\[a-zA-Z0-9]{8}\.aspx;90 # Microsoft HAFNIUM IOCs https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv \\FrontEnd\\HttpProxy\\owa\\auth\\8Lw7tAhF9i1pJnRo\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\OutlookZH\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\authhead\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\bob\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\current\\one1\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\errorPage\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\errorPages\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\fatal-erro\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\log\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\logg\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\logout\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\one\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\one1\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\shel\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\shel2\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\shel90\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\a\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\default\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\Server\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\aspnet_client\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\aspnet_iisstart\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\aspnet_pages\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\aspnet_www\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\default1\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\iispage\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\s\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\session\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\system_web\\log\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\xclkmcfldfi948398430fdjkfdkj\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\xx\.aspx;95 \\inetpub\\wwwroot\\aspnet_client\\Server\.aspx;95 \\FrontEnd\\HttpProxy\\OAB\\log\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\log\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\logg\.aspx;95 \\FrontEnd\\HttpProxy\\owa\\auth\\logout\.aspx;95 # HAFNIUM IOCs https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 \\Windows\\Temp\\xx\.bat;80 # HAFNIUM IOCs https://twitter.com/GadixCRK/status/1369320418574823427?s=20 \\Windows\\Temp\\cw\.exe$;75 # Tick Group Webshell Exchange Exploitation IOCs https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ \\inetpub\\wwwroot\\aspnet_client\\aspnet\.aspx;90 # Calypso Group Webshell Exchange Exploitation IOCs https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ \\inetpub\\wwwroot\\aspnet_client\\client\.aspx;90 \\inetpub\\wwwroot\\aspnet_client\\discover\.aspx;90 # Websiic Filename Exchange Exploitation IOCs https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ \\Program Files\\System\\websvc\.dll;80 \\Common Files\\Microsoft Shared\\WMI\\iiswmi\.dll;80 # Winnti Group Exchange Exploitation IOCs https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ \\inetpub\\wwwroot\\aspnet_client\\caches\.aspx;85 \\inetpub\\wwwroot\\aspnet_client\\shell\.aspx;85 # Tonto Team Group Exchange Exploitation IOC https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ \\inetpub\\wwwroot\\aspnet_client\\dukybySSSS\.aspx;100 # Unattributed Shadowpad Activity in Exchange Exploiation IOC https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ C:\\Windows\\Help\\mui\\0109\\mscoree\.dll;90 C:\\mscoree\.dll;70 \\opera_browser\.exe;80 # Mikroceen Activity in Exchange Exploiation IOC https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ \\inetpub\\wwwroot\\aspnet_client\\aspnet_regiis\.aspx;80 \\inetpub\\wwwroot\\aspnet_client\\log_error_9e23efc3\.aspx;80 \\FrontEnd\\HttpProxy\\owa\\auth\\aspnet_error\.aspx;80 \\Users\\Public\\alg\.exe;95 \\Users\\Public\\calcx\.exe;95 \\Users\\Public\\Dump\.exe;95 \\Users\\Public\\1\.log;70 # SilverFish Report https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf \\ProgramData\\IEShim\.dll;90 \\ProgramData\\zertoagent\.exe;90 \\ProgramData\\watscv\.exe;90 \\ProgramData\\myfavoritegame\.exe;90 \\ProgramData\\craftmanager2\.exe;90 \\ProgramData\\craftmanager3\.exe;90 \\Temp\\IEShim\.dll;90 \\Temp\\zertoagent\.exe;90 \\Temp\\watscv\.exe;90 \\Temp\\myfavoritegame\.exe;90 \\Temp\\craftmanager2\.exe;90 \\Temp\\craftmanager3\.exe;90 # SUNSHUTTLE IOCs https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a \\bootcats\.exe$;80 \\f3\.exe$;50 \\prnmngrz\.vbs$;80 \\Lexicon\.exe$;45 \\prndrvrn\.vbs$;80 \\rundll32file_schtaskdaily\.vbs$;80 \\SchCachedSvc\.exe$;90 \\WindowsDSVC\.exe$;90 \\f2\.exe$;50 \\Final_vbscript\.vbs$;80 \\runlog\.dat\.tmp$;80 # Possible exploitation of CVE-2021-2307 https://www.kb.cert.org/vuls/id/567764 C:\\build_area\\openssl\.cnf;90 # Bug in Audio Driver creates .wav files of possibly confidential meetings https://insinuator.net/2021/04/of-corona-buggy-audio-drivers-and-industrial-espionage/ :\\Windows\\Temp\\sam_(mic|ref)_[_\-0-9]{4,20}\.wav;60 # Vulnerable DELL BIOS update driver (the new patched one is named DBUtilDrv2.Sys) - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ C:\\Windows\\Temp\\DBUtil_2_3\.Sys$;70 # DarkSide Supply Chain attacks https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html \\AppData\\Local\\Chrome\\winvnc\.exe;100 \\Chrome\\UltraVNC\.ini;90 C:\\ProgramData\\WindNT\\;80 \\VirtualHost\.vbs;60 C:\\ProgramData\\psh\\console\.exe;100 \\ProgramData\\psh\\System32Log\.txt;100 C:\\ProgramData\\psh\\;60 \\ProgramData\\Cisco\\update\.exe;100 \\ProgramData\\Cisco Systems\\Cisco Jabber\\update\.exe;60 \\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\update\.lnk;60 # Kaseya Supply Chain Attack Pattern https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers :\\Windows\\cert\.exe;100 :\\Windows\\msmpeng\.exe;90 :\\Windows\\mpsvc\.dll;90 # Default driver name in exploit PoC codes - e.g. CVE-2021-1675 and CVE-2021-34527 https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py \\MyExploit\.dll;90 \\evil\.dll;80 \\addCube\.dll;70 \\nightmare\.dll;65 \\mimispool\.dll;85 \\mimispool\.txt;85 # Serv-U vulnerability exploitation CVE-2021-35211 https://www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211 C:\\Windows\\Temp\\Serv-U\.bat;90 C:\\Windows\\Temp\\test\\current\.dmp;90 # NSO Group Indicators https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso /com\.apple\.softwareupdateservicesd\.plist;85 /roleaccountd\.plist;85 # Suspicious names often found to be malicious samples \\loader\.vbs;65 \\loader\.ps1;65 # SharpHound filename patterns https://williamknowles.io/fetching-sharphound-data-entirely-in-memory-no-dropped-zip-or-json-files-using-bof-net-and-cobalt-strike/ \\202[0-9]{11}_gpos\.json;75 \\202[0-9]{11}_domains\.json;75 _BloodHoundLoopResults\.zip;90 _BloodHound\.zip;90 \\[a-zA-Z0-9]{17}[SyCyi]00[NMZOY][a-zA-Z0-9]{10}t[a-zA-Z0-9]{16}\.bin;75 # SeriousSAM / HiveNightmare https://github.com/GossiTheDog/HiveNightmare and https://github.com/HuskyHacks/ShadowSteal \\SAM-haxx;90 \\ShadowSteal\.exe;90 \\Invoke-HiveNightmare;90 \\HiveNightmare;80 # PetitPotam Names https://github.com/topotam/PetitPotam \\PetitPotam;90 # SpoolSample Names https://github.com/leechristensen/SpoolSample \\SpoolSample\.exe;80 # Backup file names of important system HIVEs as used in hacktools (Invoke-HiveNightmare) \\Sam\.hive;65 \\SAM-202;60 \\hive_sam_;65 # Relay Attack Tool Names \\PetitPotam;85 \\Invoke-PetitPotam;95 \\RottenPotato;85 \\HotPotato;85 \\JuicyPotato;85;\\JuicyPotato\.php \\just_dce_;85 \\Juicy Potato;85 \\temp\rot\.exe;75 \\Potato\.exe;75 \\Responder\.exe;75 \\smbrelayx;80 \\ntlmrelayx;80 # PlugX THOR Filename IOCs https://unit42.paloaltonetworks.com/thor-plugx-variant/ C:\\ProgramData\\MSDN\\6\.0\\NTUSER\.DAT;80 # TA456 targeting defence contractors https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media \\AppData\\Perflog\\Schedule\.vbs;90 \\AppData\\Perflog\\Logs\.txt;90 # ProxyShell Exploitation https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do \\FrontEnd\\HttpProxy\\owa\\auth\\HWTJQDMFVMPOON\.aspx;90 \\FrontEnd\\HttpProxy\\owa\\auth\\d62ffcd688\.aspx;90 \\FrontEnd\\HttpProxy\\owa\\auth\\415cc41ac1\.aspx;90 \\FrontEnd\\HttpProxy\\owa\\auth\\6514f55e1a\.aspx;90 \\FrontEnd\\HttpProxy\\owa\\auth\\VOLWMFQWPP\.aspx;90 \\inetpub\\wwwroot\\aspnet_client\\system_web\\[^\\"]{1,20}\.aspx;80 \\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\[^\\"]{1,20}\.aspx;80 \\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\[^\\"]{1,20}\.aspx;70 \\FrontEnd\\HttpProxy\\owa\\auth\\Current\\[^\\"]{1,20}\.aspx;70 # Exchange exploitation IOCs https://twitter.com/_JohnHammond/status/1430535961239113733 C:\\ProgramData\\COM1\\[^\.]{1,40}\.aspx;90 C:\\ProgramData\\CON\\[^\.]{1,40}\.aspx;90 C:\\ProgramData\\AUX\\[^\.]{1,40}\.aspx;90 C:\\ProgramData\\AUX\\[^\.]{1,40}\.aspx;90 # Exchange exploitation IOCs https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit C:\\Users\\All Users\\COM\\;75 C:\\Users\\All Users\\COM1\\;75 C:\\Users\\All Users\\CON\\;75 C:\\Users\\All Users\\WHO\\;75 C:\\Users\\All Users\\XYZ\\;75 C:\\Users\\All Users\\ZOO\\;75 C:\\Users\\All Users\\ZING\\;75 # Possible attempt to exploit privilege escalation weakness https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae C:\\Program\.exe;65 # Suspicious contents in Users/Public folder \\Users\\Public\\[^\\"]{1,20}\.(dll|vbs|ps1|bat|hta|com);70 \\Users\\Public\\[^\\"]{1,20}\.exe;65 # Nmap, Network scanning tool https://nmap.org/ \\nmap\.exe;50 # FoggyWeb NOBELIUM IOCs https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ C:\\Windows\\ADFS\\version\.dll;85 C:\\Windows\\SystemResources\\Windows\.Data\.TimeZones\\pris\\Windows\.Data\.TimeZones\.zh-PH\.pri;85 # LightBasin / UNC1945 filename IOCs https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/ /usr/bin/pingg;85 /usr/lib/om_proc;75 /usr/lib/frpc;75 /usr/lib/frpc\.ini;75 /usr/lib/cord\.lib;75 /usr/lib/libcord\.so;75 /usr/bin/libcord\.so;75 /cordscan_raw_arm;75 /usr/lib/javacee;85 /usr/lib/sgsnemu;85 /usr/bin/sgsnemu;85 /usr/lib/sgsnemu_bak;85 /usr/lib/tshd;90 /win7_exp/proxychains\.conf;85 /var/tmp/\.font-unix;75 /usr/local/sbin/iptables;65 /sbin/iptablesDir/;70 # Possible FRP ini file (Fast Reverse Proxy) https://github.com/fatedier/frp /frpc\.ini;60 # Suspicious Flash Player Installer file names not used by the legitimate sources https://twitter.com/cyb3rops/status/1451807802901635074 /FlashPlayer\.dmg;75 /AdobeFlashPlayer\.dmg;75 /AdobeFlashPlayerInstaller\.dmg;75 /Adobe_Flash_Player\.dmg;75 /Adobe Flash Player\.dmg;75 /Flash Player\.dmg;75 /Flash_Player\.dmg;75 /Flash_Player_Installer\.dmg;75 /Flash Player Installer\.dmg;75 /Install_Flash_Player\.dmg;75 /Install Flash Player.dmg;75 /Flash_Player_Setup\.dmg;75 /Flash Player Setup\.dmg;75 # Indicator of a vulnerable version of Gitlab (CVE-2021-22205) https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/ application-5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71\.css;70 application-02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b\.css;70 application-450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54\.css;70 application-45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44\.css;70 application-d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb\.css;70 application-52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c\.css;70 application-051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce\.css;70 application-a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528\.css;70 application-c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4\.css;70 application-4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160\.css;70 application-def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3\.css;70 application-969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e\.css;70 application-455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8\.css;70 application-3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087\.css;70 application-aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b\.css;70 application-bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7\.css;70 application-a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9\.css;70 application-77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f\.css;70 application-3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb\.css;70 application-bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4\.css;70 application-d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c\.css;70 application-38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d\.css;70 application-4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e\.css;70 application-dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56\.css;70 application-d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f\.css;70 application-78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab\.css;70 application-93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b\.css;70 application-73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d\.css;70 application-340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86\.css;70 application-be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a\.css;70 application-34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86\.css;70 application-67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2\.css;70 application-7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5\.css;70 application-f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812\.css;70 application-f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11\.css;70 application-ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d\.css;70 application-292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369\.css;70 application-39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09\.css;70 application-9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e\.css;70 application-79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9\.css;70 application-2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae\.css;70 # Zoho Desktop Central Vulnerability exploitation CVE-2021-44515 https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html \\ManageEngine\\DesktopCentral_Server\\(lib|lib\\third_party_jars\\jersey|lib\\tomcat|lib\\resources|ServerTroubleShooter\\lib|ServerTroubleShooter\\lib\\util|ServerTroubleShooter\\lib\\starter)\\[^\\"]{1,16}\.zip;70 \\webapps\\DesktopCentral\\html\\help_me\.jsp;80 \\webapps\\DesktopCentral\\html\\help_me\.html;80 # Malicious iLO Board Analysis https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/ \\logs\\lifesignal\.bin;80 \\logs\\schedule\.bin;80 \\fakefwdata\.bin;80 # MoonBounce APT https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ \\wbwkem\.dll;85 \\wkbem\.dll;85 \\wmiwk\.dll;85 \\C_20344\.nls;85 \\C_20334\.nls;85 \\compwm\.bin;85 \\pcomnl\.bin;85 \\wmipl\.dll;85 \\Microsoft\.Service\.Watch\.targets;85 \\MstUtil\.exe\.config;85 \\System\.Mail\.Service\.dll;85 \\schtask\.bat;60 \\CmluaApi\.dll;85 # RedHat PrivEsc IOCs https://github.com/ly4k/PwnKit CVE-2021-4034 /PwnKit;90 /PwnKit\.sh;90 # WinPeas / LinPeas Filename IOCs https://github.com/carlospolop/PEASS-ng \\winPEASx64;80 \\winPEASx86;80 \\winPEASxany;80 \\winPEAS\.txt;80 \\winPEAS-Obfuscated\.exe;80 \\winpeas\.exe\.log;80 \\winPEASxany\.bat;80 /linpeas_linux_;80 /linpeas\.sh;80 \\linpeas_linux_;80 linpeas\.log;75 # Gopher Filename IOCs https://github.com/EncodeGroup/Gopher \\Gopher\.exe\.log;80 # Cyber Brief Report German BfV on APT27 https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf \\ProgramData\\windefenders\\thumb\.dat;85 \\ProgramData\\windefenders\\config\.ini;85 \\Program Files\\Common Files\\windefenders\\thumb\.dat;95 \\Program Files\\Common Files\\windefenders\\config\.ini;95 \\Temp\\[a-z\.]{3,16}\.key\.log;65 \\Common Files\\windefenders\\vftrace\.dll;95 # Hermetic Wiper related IOCs https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia \\temp\\sys\.tmp1;65 \\policydefinitions\\postgresql\.exe;85 \\AppData\\Local\\Microsoft\\Windows\\winupd\.log;85 \\link\.ps1;50 \\text\.ps1;50 # Hermetic Wiper IOCs CrowdStrike https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/ :\\Windows\\System32\\drivers\\bpdr$;85 :\\Windows\\System32\\drivers\\bpdr.sys;85 # DripLoader https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection \\DripLoader\.exe;75 \\passav\.exe;65 # Exploit Code File Names \\(cve|CVE)-20[012][0-9]\-[0-9]{4,5}.{0,20}($|\\);60;(\\share\\doc|\\Microsoft\\Windows Defender Advanced Threat Protection\\|/\.cpanm/work/| \.\.\.\.\. ok|\\sigma\\|\\(cve|CVE)-20[012][0-9]\-[0-9]{4,5}\\n | MFSA |emerging-threats|advisory|fixed) \\(cve|CVE)-20[012][0-9]\-[0-9]{4,5}.{0,20}(\.py|\.exe|\.vbs|\.bat|\.ps1|\.dll);75;(\\share\\doc|CVE\-2017\-9800\-pre\-commit) # Possible Service Path Escalation Attempt http://www.commonexploits.com/unquoted-service-paths/ or simple malware :\\Program\.exe;75 # Local Privilege Escalation exploit names https://github.com/search?q=local+privilege+escalation \\UserProfileSvcEoP\.exe;90 Potato\.exe;65 \\spawn_cmd\.dll;90 \\RogueWinRM\.exe;90 \\StartCMD\.dll;70 \\start_cmd\.dll;70 \\ProfSvcLPE\.exe;75 \\cve\.exe;45 \\RottenTomato\.exe;80 \\windows-privesc-check\.exe;70 \\windows-privesc-check2\.exe;70 \\dll_hijack_detect_x64\.exe;70 \\dll_hijack_detect_x86\.exe;70 # LSASS Dump Names \\lsass[a-zA-Z_\-\.]{1,16}\.(dmp|zip|rar|7z);70 # Programs or scripts in C:\ProgramData folder (no sub folder) \\[Pp]rogram[Dd]ata\\[^\\"/:]{1,40}\.(EXE|DLL|exe|dll|bat|BAT|vbs|vbe|VBS|ps1|psm1)([^._\\\]A-Za-z]|$);70;(\[Discord\.exe\]|UserProfileMigrationService\.exe|\.exe\.textpad|\\\$WINDOWS\.~BT\\|Found legacy CopyFiles operation) # PostDump artefacts https://github.com/post-cyberlabs/Offensive_tools/tree/main/PostDump :\\Temp\\yolo\.log;75 \\PostDump\.exe;65 # DuplicateDump IOC https://github.com/Hagrid29/DuplicateDump :\\LSAPlugin\.dll;80 # Filename IOCs mentioned in Industroyer2 Report https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \\108_100\.exe;85 \\zrada\.exe;75 \\pa\.pay$;65 \\link\.ps1;60 \\sc\.sh$;65 \\wobf\.sh;80 \\wsol\.sh;80 # Possible LPE CVE-2022-24527 - check the file contents https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/ \\WindowsPowerShell\\Modules\\webAdministration\\webAdministration\.psm1;70 # Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive :\\Windows\\temp\\bc\.bat;85 :\\Windows\\AppPatch\\Custom\\Custom64\\cc\.bat;85 :\\Windows\\temp\\cc\.log;85 :\\Windows\\AppPatch\\Custom\\Custom64\\log\.dat;85 :\\Windows\\Branding\\Basebrd\\x64\.tlb;85 :\\Windows\\Branding\\Basebrd\\language\.dll;85 :\\Windows\\System32\\mscuplt\.dll;70 :\\Windows\\System32\\rpcutl\.dll;70 :\\Windows\\System32\\dot3utl\.dll;70 :\\Windows\\System32\\iumatl\.dll;70 :\\Windows\\System32\\Nlsutl\.dll;70 :\\Windows\\System32\\WindowsPowerShell\\v1.0\\dbghelp\.dll;85 :\\Windows\\System32\\drivers\\bqDsp\.sys;85 :\\Windows\\apppatch\\en-us\\MFSDLL\.exe;85 :\\Windows\\System32\\spool\\drivers\\x64\\3\\prntvpt\.dll;85 :\\Windows\\System32\\WindowsPowerShell\\v1.0\\wlbsctrl\.dll;85 :\\Windows\\assembly\\gac_msil\\dfsvc\\foserv\.exe;85 :\\Windows\\assembly\\temp\\foserv\.exe;85 :\\Windows\\AppPatch\\Custom\\Custom64\\Shiver\.exe;85 :\\Windows\\AppPatch\\Custom\\Custom64\\spark\.exe;85 \\mktzx64\.dll;85 # BPFDoor Analysis https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ /dev/shm/kdmtmpflush;90;grep /dev/shm/kdumpflush;90 /dev/shm/kdumpdb;90 /var/run/haldrund\.pid;80 # Detects vulnerable Confluence Questions plugins based on filename pattern CVE-2022-26138 https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-confluence-hardcoded-credentials-flaw/ \\confluence-questions-3\.0\.[0-4]\.jar$;50 \\confluence-questions-2\.7\.([0-9]|[12][0-9]|3[0-7])\.jar$;50 # Redline / Racoon Password Stealer filename IOCs https://twitter.com/cglyer/status/1570965878480719873 \\LOGID-[0-9]{7}\.zip$;75 # Metador IOCs https://assets.sentinelone.com/sentinellabs22/metador C:\\Windows\\System32\\cdb\.exe;85 C:\\Windows\\System32\\cdb\.ini;85 C:\\Windows\\System32\\speech02\.db;80 C:\\Windows\\System32\\speech03\.db;80 C:\\Windows\\System32\\fcache11\.db;80 C:\\Windows\\System32\\fcache13\.db;80 C:\\Windows\\System32\\fcache11\.db;80 C:\\Windows\\System32\\fcache13\.db;80 C:\\Windows\\System32\\fcache14\.db;80 \\AppData\\Local\\fintcache\\cdb\.exe;85 \\AppData\\Local\\fintcache\\cdb\.ini;85 \\AppData\\Local\\fintcache\\speech02\.db;80 \\AppData\\Local\\fintcache\\speech03\.db;80 \\AppData\\Local\\fintcache\\fcache11\.db;80 \\AppData\\Local\\fintcache\\fcache13\.db;80 \\AppData\\Local\\fintcache\\fcache11\.db;80 \\AppData\\Local\\fintcache\\fcache13\.db;80 \\AppData\\Local\\fintcache\\fcache14\.db;80 # UNC3886 Report on malicious vSphere Installation Bundles (VIBs) https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence /lsu_lsi_\.v05$;75 /etc/rc\.local\.d/vmware_local\.sh;75 ^/bin/rdt$;75 /bin/vmsyslog\.py;75 /payload1\.v00$;75 /etc/rc\.local\.d/vmware_rhttpio\.sh;75 /usr/lib/vmware/weasel/consoleui/rhttpproxy-io;80 /usr/libexec/setconf/ksmd;75 /usr/bin/ksmd;75 C:\\Windows\\Temp\\avp\.exe;70 C:\\Windows\\Temp\\Silverlight\\wmpd\.exe;75 # Lazarus Report https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/ :\\ProgramData\\Adobe\\Adobe\.tmp;80 C:\\ProgramData\\PTC\\colorcpl\.exe;80 C:\\ProgramData\\PTC\\colorui\.dll;80 C:\\Windows\\Vss\\WFS\.exe;80 C:\\Windows\\Vss\\credui\.dll;80 C:\\Windows\\security\\WFS\.exe;80 C:\\Windows\\security\\credui\.dll;80 C:\\ProgramData\\Caphyon\\wsmprovhost\.exe;80 C:\\ProgramData\\Caphyon\\mi\.dll;80 C:\\PublicCache\\msdxm\.ocx;80 \\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\OneNoteTray\.LNK;70 # Lazarus FudModule Rootkit Indicators https://www.virusbulletin.com/uploads/pdf/conference/vb2022/VB2022-Kalnai-Havranek.pdf C:\\Windows\\windows\.ini;75 C:\\WINDOWS\\System32\\drivers\\circlassmgr\.sys;75 C:\\WINDOWS\\System32\\drivers\\dmvscmgr\.sys;75 C:\\WINDOWS\\System32\\drivers\\hidirmgr\.sys;75 C:\\WINDOWS\\System32\\drivers\\isapnpmgr\.sys;75 C:\\WINDOWS\\System32\\drivers\\mspqmmgr\.sys;75 C:\\WINDOWS\\System32\\drivers\\umpassmgr\.sys;75 # Emperor Dragonfly report https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group?hsLang=en C:\\Windows\\Help\\OEM\\ContentStore\\vlcplayer\.dat;85 C:\\Windows\\Help\\utilsdll\.dll;85 C:\\Windows\\debug\\LockDown\.dll;85 C:\\Windows\\Help\\Corporate\\auth\.dat;85 C:\\Windows\\debug\\debug\.dat;85 C:\\Windows\\Help\\Corporate\\libvlc\.dll;85 C:\\Windows\\Help\\Corporate\\auth\.dat;85 C:\\Windows\\Help\\Corporate\\vlcplayer\.dat;85 C:\\Windows\\Help\\mui\\0409\\WindowsUpdate\.exe;85 C:\\Windows\\Help\\OEM\\ContentStore\.exe;85 C:\\Windows\\Help\\Windows\\dec\.exe;85 C:\\Windows\\debug\\mfeann\.exe;85 C:\\Windows\\Help\\Corporate\\FCAuth\.exe;85 C:\\Windows\\Help\\Corporate\\vlc\.exe;85 # ProxyNotShell exploitation IOC https://twitter.com/gossithedog/status/1578772856204578819?s=12&t=YYVa81RCA4W71JSygT16hw \\FrontEnd\\HttpProxy\\owa\\auth\\owafonts\.aspx;85 # Suspicious File Name - obfuscation indicators obfuscated[0-9_]{0,7}\.(exe|dll|vbs|vbe|ps1|psm1|bat|vbs|vbe|EXE|DLL|BAT|js|JS)$;70 obfusc[0-9_]{0,7}\.(exe|dll|vbs|vbe|ps1|psm1|bat|vbs|vbe|EXE|DLL|BAT|js|JS)$;70 \\[Oo]bfusc[a-zA-Z0-9_-]{0,20}\.(exe|dll|vbs|vbe|ps1|psm1|bat|vbs|vbe|EXE|DLL|BAT|js|JS)$;70 # POLONIUM IOCs https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/ \\svchostdp\.exe;80 \\4kyro3fs\.dll;85 \\Microsoft Malware Protection\.exe;85 \\WindowsSartup22\.exe;90 \\WinUpdate\.dll;80 \\Regestries\.exe;80 \\Mega\.exe;70 # AhnLabs report on Exchange exploitation and Lockbit 3 deployment https://web.archive.org/web/20221011020440/https://asec.ahnlab.com/ko/39682/ \\owa\\auth\\HttpRedirService\.aspx;85 C:\\Users\\ExchService\\Desktop\\mi\.exe;75 C:\\Windows\\System32\\0409\\mi\.exe;85 C:\\Temp\\AUtempR\\p64\.exe;80 C:\\Windows\\System32\\0409\\TeamViewer;95 C:\\Windows\\System32\\0409\\netscan;95 C:\\Windows\\System32\\0409\\H1\.exe;95 C:\\Windows\\System32\\0409\\H2\.exe;95 C:\\Windows\\System32\\0409\\H2\.dll;95 C:\\Windows\\System32\\0409\\[^\\]{1,8}\.(ps1|bat);75 C:\\windows\\H2\.ps1;85 \\S2-PS\.bat;75 \\S2_ps\.bat;75 \\LBP\.ps1;70 \\Lb\.ps1;70 \\H2\.ps1;70 # Procdump - process dump tool used in SysInternals suite https://learn.microsoft.com/en-us/sysinternals/downloads/procdump (?i)\\procdump(64)?(a)?\.(exe|zip);50;(?i)(SysInternals\\) # Suspicious file that starts with procdump, a process dumping tool often used by adversaries https://learn.microsoft.com/en-us/sysinternals/downloads/procdump (?i)\\procdump[^\\]{0,30}\.(exe|dll|vbs|vbe|ps1|psm1|bat|vbs|vbe|js\b|7z|rar);70;(?i)(\\procdump(64)?\.exe) (?i)\\[^\\]{1,30}procdump\.(exe|dll|vbs|vbe|ps1|psm1|bat|vbs|vbe|js\b|7z|rar);70 # Adfind - often used by AD administrators but also by threat actors http://www.joeware.net/freetools/ \\Adfind\.exe;50 \\Adfind\.(7z|rar);65 # FRP Binaries https://github.com/fatedier/frp \\frpc\.exe;70 \\frps\.exe;70 \\frpc$;70 \\frps$;70 \\frpc.ini;70 \\frps.ini;70 \\frpc_full.ini;70 \\frps_full.ini;70 # Impacket default file name used for tools in the examples folder of the project https://github.com/SecureAuthCorp/impacket \\atexec\.py;75 \\wmiquery\.py;70 \\wmipersist\.py;70 \\wmiexec\.py;70 \\tstool\.py;70 \\ticketer\.py;70 \\ticketConverter\.py;70 \\sniffer\.py;70 \\sniff\.py;70 \\smbrelayx\.py;70 \\smbpasswd\.py;70 \\smbexec\.py;70 \\secretsdump\.py;70 \\samrdump\.py;70 \\rpcmap\.py;70 \\rpcdump\.py;70 \\rdp_check\.py;70 \\psexec\.py;70 \\ntlmrelayx\.py;70 \\nmapAnswerMachine\.py;70 \\netview\.py;70 \\mimikatz\.py;70 \\lookupsid\.py;70 \\kintercept\.py;70 \\keylistattack\.py;70 \\karmaSMB\.py;70 \\goldenPac\.py;70 \\getTGT\.py;70 \\GetNPUsers\.py;70 \\GetADUsers\.py;70 \\Get\-GPPPassword\.py;70 \\exchanger\.py;70 \\esentutl\.py;70 \\dcomexec\.py;70 \\atexec\.py;70 # Forkatz filename IOCs https://github.com/Barbarisch/forkatz c:\\users\\public\\temp\.bin;75 c:\\users\\public\\example\.bin;75 \\forkatz\.exe;75 # PPLKiller tool exploiting CVE-2019-16098 https://github.com/Barakat/CVE-2019-16098 \\PPLKiller\.exe;85 # Typical ASPX Shell Locations https://vimeo.com/770087063 \\aspnet_client\\system_web\\[a-zA-Z0-9_\-]{1,16}\.asp[x]?$;65 # Somnia Ransomware https://cert.gov.ua/article/2724253 \\Temp\\text\.exe;70 C:\\ProgramData\\VMware\\VMware Tools\\1\.exe;85 C:\\ProgramData\\pe_https_x64_360_1\.exe;90 \\Downloads\\Ip_scanner\.zip;70 \\Downloads\\Ip_scanner\\Ip_scanner\.exe;70 l\\Desktop\\netscan_portable\\64-bit\\netscan\.exe;75 \\Downloads\\1\.jpeg;60 \\Somnia_07_08_22_with_FunnySomnia\.exe;95 \\netscan_portable\.7z;65 \\FunnySomnia\.exe;85 # Rubeus Filename IOCs https://github.com/GhostPack/Rubeus/ and https://phackt.com/en-kerberos-constrained-delegation-with-protocol-transition and https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html and https://www.hackingarticles.in/a-detailed-guide-on-rubeus/ C:\\temp\\spns\.txt;85 \\[\w]{1,20}_[0-9]{4}_[0-9]{2}_[0-9]{2}_[0-9]{2}_[0-9]{2}_[0-9]{2}_[a-z]{2,16}_to_[a-z\.\-]{2,24}@;65 \\srv\.tgt;70 \\TotallyNotHashes\.txt;80 \\hashes\.asreproast;85 \\brutepasswords\.txt;75 C:\\Temp\\payload\.exe;75 \\ticket\.kirbi;85 \\silver\.kirbi;85 \\Users\\Public\\type\.hash;70 \\Users\\Public\\type2\.hash;70 \\Rubeus\.exe;85 # Hive Ransomware IOCs CISA Alert AA22-321A https://www.cisa.gov/uscert/ncas/alerts/aa22-321a \\hive\.bat;65 \\shadow\.bat;65 \\Windows_x64_encrypt\.dll;75 \\Windows_x64_encrypt\.exe;75 \\Windows_x32_encrypt\.dll;75 \\Windows_x32_encrypt\.exe;75 \\Windows_x32_encrypt\.rar;75 \\Linux_encrypt$;70 \\Esxi_encrypt$;70 # RansomBoggs IOCs https://twitter.com/ESETresearch/status/1596181925663760386?s=20&t=lhE6eIEW1dl2k_HvZsr69g \\Desktop\\aes\.bin$;70 C:\\Windows\\Sullivan.1;75 # SysmonEOP Filename IOCs - PoC for CVE-2022-41120 https://github.com/Wh04m1001/SysmonEoP \\SysmonEOP\.exe;90 \\SysmonEOPv2\.exe;90 \\SysmonEOP_v2\.exe;90 Global\\GLOBALROOT\\RPC Control\\CLIP-876BEE15B64B610D2505A44596ED92FBA9624DB923F9D608698BD8C8E64E4F1A;90 # AstroBWT Miner IOCs https://github.com/dero-am/astrobwt-miner/ \\astrobwt-miner;70 \\astrominer;70 # NanoDump IOCs https://github.com/helpsystems/nanodump C:\\Windows\\Temp\\ssp\.dll;65 C:\\ssp\.dll;75 C:\\Windows\\Temp\\report\.docx;75 _lsass\.dmp;70 \\nanodump\.exe;85 \\nanodump\.x64\.exe;85 \\nanodump_ssp\.x64\.dll;80 \\load_ssp\.x64\.exe;80 \\nanodump_ppl\.x64\.exe;80 \\cantaor\.x64\.exe;80 \\doloraso\.x64\.exe;80 \\nanodump\.x64;80 \\load_ssp\.x86\.exe;80 # Suspicious ADModule locations https://github.com/samratashok/ADModule \\Microsoft\.ActiveDirectory\.Management\.dll$;70;(C:\\Windows\\Microsoft\.NET\\assembly\\|C:\\Windows\\WinSxS\\(amd64|x86)_microsoft\.activedirectory\.management_) # Suspicious Web Shell file names https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3-1 \\[0-9]{8,20}\.(aspx|asp|jsp|jspx|php);60;(examples|tests|demo|htdocs) \\[0-9]\.(aspx|asp|jsp|jspx|php);60;(examples|tests|demo|htdocs|\\Debugger.{1}GeneratedFileExtensions.{1}\.) # Suspicious Rundll32.exe variations https://twitter.com/_JohnHammond/status/1618988736313966592 \\rundll33\.exe;70 \\rundII32\.exe;70 \\rundlI32\.exe;70 \\rundIl32\.exe;70 # 3CX file name IOCs of malicious packages https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/ \\3CXDesktopApp-18\.12\.407\.msi;80 \\3CXDesktopApp-18\.12\.416\.msi;80 \\3CXDesktopApp-18\.11\.1213\.dmg;80 \\3CXDesktopApp-18\.12\.416\.dmg;80 \\3CXDesktopApp-18\.12\.402\.dmg;80 \\3CXDesktopApp-18\.12\.407\.dmg;80 # Gopuram IOCs (3CX related campaigns) https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/ C:\\Windows\\system32\\catroot2\\edb\.chk\.log;80 # 3CX IOCs from mandiant report https://www.3cx.com/blog/news/mandiant-initial-results/ \\private\\etc\\apdl\.cf;75 \\Library\\Graphics\\Quartz$;75 # Gopuram Backdoor file name IOC 5131ae1d27739f56bba92852be3a0cc2 / da450236dc92a53c8476b0b0de9a88e2 https://valhalla.nextron-systems.com/info/rule/APT_MAL_Gopuram_Backdoor_Apr23 C:\\Windows\\system32\\krwve\.jat;85 # Lockbit IOCs https://objective-see.org/blog/blog_0x75.html \\tmp\\locker\.log;70 # Mint Sandstorm IOCs https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ \\DocTemplate\.dotm;70 \\DntDocTemp\.dotm;85 \\Drokbk\.exe;80 # UNC4736 Filename IOCs - Trading Technologies International compromise https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise C:\\Windows\\System32\\MsMpEng\.exe;75 \\X_TRADER_r7\.17\.90p608\.exe;75 \\X_TRADER-ja\.mst;80 C:\\ProgramData\\TPM\\;60 C:\\ProgramData\\TPM\\TpmVscMgrSvr\.exe;85 C:\\ProgramData\\TPM\\winscard\.dll;85 # BPFDoor "mutex” https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game \\var\\run\\initd\.lock;80 # AV/EDR Terminator IOCs https://twitter.com/S0ufi4n3/status/1663059373352943616?s=20 \\terminator\.exe;70 # Blackout AV/EDR killer tool https://github.com/ZeroMemoryEx/Blackout \\Blackout\.exe;70 \\Blackout\.sys;75 # Shellcode Loader filenames \\SvcHostDemo\.dll;50 \\PELoader\.exe;60 \\Moneta64\.exe;75 # EDR Block POC https://github.com/S3cur3Th1sSh1t/Ruy-Lopez \\BlockDLL\.exe;75 # GodPotato https://github.com/BeichenDream/GodPotato \\GodPotato-NET2\.exe;90 \\GodPotato-NET35\.exe;90 \\GodPotato-NET4\.exe;90 # MOVEit vulnerability - possible indicators of a compromise https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ \\MOVEitTransfer\\wwwroot\\[^\\]{1,40}\.(zip|rar|7z|exe|ps1|bat|dll|vbe|vbs);70 \\MOVEitTransfer\\wwwroot\\human2\.aspx;90 \\human2\.aspx\.lnk;90 # Barracuda CVE-2023-2868 exploitation IOCs https://www.barracuda.com/company/legal/esg-vulnerability \\1\.sh;50 \\mod_udp\.so;45 \\install_helo\.tar;65 \\intent_helo$;60 \\update_v31\.sh;70 \\mod_require_helo\.lua;65 \\etc\\cron\.hourly\\core\.sh;75 \\etc\\cron\.hourly\\aacore\.sh;75 \\etc\\cron\.hourly\\appcheck\.sh;75 \\etc\\cron\.daily\\core\.sh;75 \\etc\\cron\.daily\\core_check\.sh;75 \\install_bvp74_auth\.tar;75 \\install_att_v2\.tar;75 \\update_v35\.sh;75 \\install_reuse\.tar;75 \\update_v2\.sh;75 # CISA report Citrix NetScaler IOCs https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf \\netscaler\\ns_gui\\vpn\\medialogininit\.png;85 \\var\\tmp\\test\.tar\.gz;45 # ESXiArgs IOCs https://www.trustedsec.com/blog/esxiargs-what-you-need-to-know-and-how-to-protect-your-data/ \\encrypt\.sh;50 \\tmp\tmpy_8th_nb;70 \\tmp\\encrypt$;50 \\tmp\\nohup\.out;65 \\tmp\\index\.html;40 \\tmp\\motd;50 \\tmp\\public\.pem;60 \\tmp\\archieve\.zip;65 # WER Exploit POC CVE-2023-36874 https://github.com/Wh04m1001/CVE-2023-36874 \\WerExpl\.exe;75 \\System32\\wermgr\.exe;70;(?i)(:\\Windows\\|%windir%|\$env:windir|%SystemRoot%|$env:systemroot|\\Device\\) # PPLFault https://github.com/gabriellandau/PPLFault C:\\PPLFaultTemp\\;90 C:\\GodFaultTemp\\;90 \\GodFaultPayload\.dll;90 \\PPLFaultPayload\.dll;90 # APT34 malware indicator https://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/ \\SystemFailureReporter\\update\.xml;85 # PPLBlade LSASS dumper tool https://github.com/tastypepperoni/PPLBlade \\PPLBlade\.dmp;85 \\PPLBlade\.exe;85 # Typical file names used for registry exports https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks \\security\.sav;65;(?i)C:\\Windows\\System32\\config\\SECURITY\.SAV \\sam\.sav;70 # BiBi Wiper IOCs https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group \\bibi-linux\.out;90 # SysAid exploitation IOCs CVE-2023-47246 https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification \\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user\.exe;80 \\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\.war;80 \\Program Files\\SysAidServer\\tomcat\\webapps\\leave;80 # Rhysida Ransomware ELF for ESX IOCs \\usr\\lib\\vmware\\hostd\\docroot\\_index\.html;75 \\usr\\lib\\vmware\\hostd\\docroot\\ui\\_index\.html;75 # Lockbit Citrixbleed IOCs https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a \\Downloads\\Process Hacker 2\\peview\.exe;85 \\Music\\Process Hacker 2\\processhacker\.exe;85 c:\\perflogs\\processhacker\.exe;85 \\desktop\\proc64\\proc\.exe;85 \\documents\\veeam-get-creds\.ps1;85 \\perflogs\\64-bit\\netscan\.exe;85 \\perflogs\\64-bit\\m\.exe;85 \\perflogs\\64-bit\\m0\.exe;85 \\music\\za_access_my_department\.exe;85 C:\\Windows\\servicehost\.exe;85 C:\\Windows\\sysconf\.bat;85 C:\\Users\\Public\\a\.png;85 C:\\Windows\\Tasks\\em\.cab;85 C:\\Windows\\Tasks\\am\.cab;85 C:\\Windows\\Tasks\\a\.cab;85 C:\\Windows\\Tasks\\z\.txt;85 \\ad\.ps1;50 [Cc]:\\[Ww]indows\\[Tt]emp\\[Ss]creen[Cc]onnect\\[0-9\.]{1,20}\\[Ff]iles\\[Pp]rocess[Hh]acker\.exe;75 [Cc]:\\[Ww]indows\\[Tt]emp\\[Ss]creen[Cc]onnect\\[0-9\.]{1,20}\\[Ff]iles\\[Aa]zure\.msi;75 # ScreenConnect Exploitation IOCs https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass C:\\Program Files \(x86\)\\ScreenConnect\\App_Extensions\\[^\\]{1,16}\.as[ph]x;75 # ScreenConnect Exploitation IOCs https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 C:\\Windows\\TEMP\\ScreenConnect\\[0-9\.]{8,15}\\LB3\.exe;75 c:\\mpyutd\.msi;85 \\startup\\mpyutd\.msi;85 C:\\Windows\\Help\\Help\\SentinelUI\.exe;90 C:\\Windows\\Help\\Help\\SentinelAgentCore\.dll;90 C:\\Windows\\Help\\Help\\Logs\.txt;75 \\Documents\\Maxx Uptime remote connection\\Files\\agent\.exe;80 C:\\ProgramData\\JWrapper-Remote Access\\JWAppsSharedConfig\\restricted\\SimpleService\.exe;80 \\Documents\\MilsoftConnect\\Files\\ta\.exe;80 C:\\Windows\\spsrv\.exe;85 C:\\ProgramData\\JWrapper-Remote Access\\JWAppsSharedConfig\\serviceconfig\.xml;85 C:\\ProgramData\\1\.msi;85 c:\\programdata\\update\.dat;80 C:\\perflogs\\RunSchedulerTaskOnce\.ps1;85 # perfctl IOCs https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/ /libgcwrap\.so;65 /libpprocps\.so;65 /libfsnldev\.so;65 /usr/bin/perfcc;65 /root/\.config/cron/perfcc;65 /tmp/.xdiag/exi;65 /tmp/.xdiag/elog;65 /tmp/.xdiag/int/.e.lock;65 /tmp/.xdiag/hroot/hscheck;65 /tmp/.xdiag/tordata/control_auth_cookie.tmp;85 /tmp/.xdiag/tordata/cached-certs.tmp;85 /tmp/.xdiag/tordata/cached-microdesc-consensus.tmp;85 /tmp/.xdiag/tordata/state.tmp;85 # Suspicioius *.rdp files in Outlook temporary folders https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ \\AppData\\Local\\Microsoft\\Windows\\(INetCache|Temporary Internet Files)\\Content\.Outlook\\[A-Z0-9]{8}\\[^\\]{1,255}\.rdp$;70 \\AppData\\Local\\Packages\\Microsoft\.Outlook_[a-zA-Z0-9]{1,50}\\.{0,120}\\[^\\]{1,80}\.rdp$;70 \\AppData\\Local\\Microsoft\\Olk\\Attachments\\([^\\]{1,50}\\){0,5}[^\\]{1,80}\.rdp$;70 # Cleo Software Exploitation https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild 60282967-dc91-40ef-a34c-38e992509c2c\.xml;85 \\healthchecktemplate\.txt;75 \\healthcheck\.txt;60 # End