-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Specific detections
Araneida is a scanner and dumper tool for data and pentest enthusiasts, and it's being offered for purchase on a darkweb forum. With a range of features, including an auto web crawler, an advanced SQLi scanner, an auto SQLi dumper, Adminer AFR & SSRF scanner, an RCE scanner, a config file scanner, etc. git file scanner, WordPress scanner, Drupal scanner, LFI/RFI scanner, and over 150 additional vulnerabilities derived from public CVEs and private 0-day exploits for web applications.
References:
The Asset Reconnaissance Lighthouse is designed to quickly detect Internet assets associated with targets and build a basic asset information database. Assist security teams or penetration testers to effectively detect and retrieve assets, continuously detect asset risks from an attacker's perspective, help users gain insight into asset dynamics, grasp security protection weaknesses and quickly converge the attack surface.
References:
Brute Ratel C4 (BRc4) is the newest red-teaming and adversarial attack simulation tool. It can not only emulate different stages of an attacker killchain, but also provide a systematic timeline and graph for each of the attacks executed to help the Security Operations Team validate the attacks and improve the internal defensive mechanisms. Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities.
References:
If installed, in the event of a laptop being stolen, the Computrace software tracks the stolen computer and provides to authorities the information they need to get it back. The issue is that this same software can download and install unknown programs in an unauthorized manner, even if explicitly disabled by the user.
References:
Core Impact is a penetration testing platform designed to enable security teams to conduct advanced tests with ease. Can be used in malware attacks.
References:
Covenant is a .NET C&C framework, that aims to (ab)use offensive .NET tradecraft capabilities and serve as a collaborative command and control platform for red teamers. Network security analysts should investigate similar detections and determine if such frameworks are authorized to be run inside the organizational network.
References:
DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised.
References:
Detection of network communication attempts for North Korea's SiliVaccine anti-virus software.
References:
- https://research.checkpoint.com/2018/silivaccine-a-look-inside-north-koreas-anti-virus/
- https://otx.alienvault.com/pulse/5c96b4b5fed1b34723da7b54/
Havoc is the post-exploitation command-and-control (C2) framework, that is being widely used by threat actors to remotely control and monitor their malware-infected systems.
References:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc
- https://www.criticalstart.com/new-framework-raising-havoc/
Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions.
References:
Khepri is a free, open source, cross platform agent and post-exploiton tool written in Golang and C++.
References:
- https://github.com/geemion/Khepri
- https://www.virustotal.com/gui/file/21457a89317e4c6b8aaee5e461a6b4e444c736243d550efd0e681eda05b97007/detection
Mythic is a collaborative, multi-platform, framework. It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming.
References:
Nighthawk is an advanced C2 framework intended for red-team operations through commercial licensing. Leaked versions of Nighthawk are being used by attributed threat actors in the wild. The tool has a robust list of configurable evasion techniques that are referenced as “opsec” functions throughout its code.
References:
Nimplant is a cross-platform (Linux & Windows) implant written in Nim and Python languages.
References:
Malicious campaign abusing push notifications to impact systems with malfeasant push notifications. This activity to date represents a type of social engineering, bypassing many security controls and potentially obtaining persistence by installing a service worker in the browser.
References:
Python BYOB (Build Your Own Botnet) is an open-source project, that provides a library of packages and modules which provide a basic framework for testing the limits of security assets capacity for local network defense.
Note: Network security analysts should investigate similar cases to determine if such framework is authorized to run inside the organizational network.
RedGuard, a derivative tool, based on command and control (C2) front flow control technology. As cyber attacks are constantly evolving , the red and blue team exercises become progressively more complex, RedGuard is designed to provide a better C2 channel hiding solution for the red team, that provides the flow control for the C2 channel, blocks the "malicious" analysis traffic, and better completes the entire attack task. RedGuard is a C2 front flow control tool that can avoid Blue Team, AVS, EDR, Cyberspace Search Engine detects.
References:
RedWaren is CobaltStrike Malleable Redirector. RedWarden was created to solve the problem of IR/AV/EDRs/Sandboxes evasion on the C2 redirector layer.
References:
Sliver is an open source, cross-platform adversary simulation/red team platform, it can be used by organizations of all sizes to perform security testing.
References:
Framework using several social engineering themes for impersonating browser updates (Chrome/Firefox), Flash Player updates, Microsoft Teams updates.
References:
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. Can be used to steal various credentials.
References:
Detection of domains and IP addresses, that are related to Lenovo laptops preinstalled adware, named as Superfish.
References:
- https://twitter.com/shaver/status/568216937181749248
- https://www.myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/
- https://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/
Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel, a fully interactive shell can be obtained, and it supports multi-platform architecture payload.
References:
Viper is a graphical intranet penetration tool, which modularizes and weaponizes the tactics and technologies commonly used in the process of Intranet penetration. It integrates basic functions such as bypass anti-virus software, intranet tunnel, file management, command line and so on.
References:
- FAQ - Frequently Asked Questions
- Trail classes - Information about different classes of trails
- Specific detections - Information about Maltrail specific detections
- Maltrail trails structure - Information about Maltrail trails structure
- Maltrail trails base format - Information about Maltrail trails base format
- Maltrail trails contribution - Information about Maltrail trails contribution
- Maltrail detection nuances - Information about Maltrail detection nuances
- Maltrail verdicts on Validin Threat Hunting and DNS Enrichment Platform - Information about Maltrail verdicts on Validin Threat Hunting and DNS Enrichment Platform
- UI tips and tricks - Brief list of user interface features
- CLI management for Maltrail - Information about CLI management for Maltrail
- Miscellaneous - Miscellaneous HOWTOs