Specific detections - stamparm/maltrail GitHub Wiki
Araneida
Araneida is a scanner and dumper tool for data and pentest enthusiasts, and it's being offered for purchase on a darkweb forum. With a range of features, including an auto web crawler, an advanced SQLi scanner, an auto SQLi dumper, Adminer AFR & SSRF scanner, an RCE scanner, a config file scanner, etc. git file scanner, WordPress scanner, Drupal scanner, LFI/RFI scanner, and over 150 additional vulnerabilities derived from public CVEs and private 0-day exploits for web applications.
References:
Asset Reconnaissance Lighthouse (ARL)
The Asset Reconnaissance Lighthouse is designed to quickly detect Internet assets associated with targets and build a basic asset information database. Assist security teams or penetration testers to effectively detect and retrieve assets, continuously detect asset risks from an attacker's perspective, help users gain insight into asset dynamics, grasp security protection weaknesses and quickly converge the attack surface.
References:
Brute Ratel C4 (BRc4)
Brute Ratel C4 (BRc4) is the newest red-teaming and adversarial attack simulation tool. It can not only emulate different stages of an attacker killchain, but also provide a systematic timeline and graph for each of the attacks executed to help the Security Operations Team validate the attacks and improve the internal defensive mechanisms. Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities.
References:
Computrace
If installed, in the event of a laptop being stolen, the Computrace software tracks the stolen computer and provides to authorities the information they need to get it back. The issue is that this same software can download and install unknown programs in an unauthorized manner, even if explicitly disabled by the user.
References:
CoreImpact
Core Impact is a penetration testing platform designed to enable security teams to conduct advanced tests with ease. Can be used in malware attacks.
References:
Covenant
Covenant is a .NET C&C framework, that aims to (ab)use offensive .NET tradecraft capabilities and serve as a collaborative command and control platform for red teamers. Network security analysts should investigate similar detections and determine if such frameworks are authorized to be run inside the organizational network.
References:
DeimosC2
DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised.
References:
DPRK SiliVaccine
Detection of network communication attempts for North Korea's SiliVaccine anti-virus software.
References:
- https://research.checkpoint.com/2018/silivaccine-a-look-inside-north-koreas-anti-virus/
- https://otx.alienvault.com/pulse/5c96b4b5fed1b34723da7b54/
Havoc
Havoc is the post-exploitation command-and-control (C2) framework, that is being widely used by threat actors to remotely control and monitor their malware-infected systems.
References:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc
- https://www.criticalstart.com/new-framework-raising-havoc/
Interactsh
Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions.
References:
Khepri (Khepri C2)
Khepri is a free, open source, cross platform agent and post-exploiton tool written in Golang and C++.
References:
- https://github.com/geemion/Khepri
- https://www.virustotal.com/gui/file/21457a89317e4c6b8aaee5e461a6b4e444c736243d550efd0e681eda05b97007/detection
Mythic
Mythic is a collaborative, multi-platform, framework. It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming.
References:
Nighthawk
Nighthawk is an advanced C2 framework intended for red-team operations through commercial licensing. Leaked versions of Nighthawk are being used by attributed threat actors in the wild. The tool has a robust list of configurable evasion techniques that are referenced as “opsec” functions throughout its code.
References:
Nimplant
Nimplant is a cross-platform (Linux & Windows) implant written in Nim and Python languages.
References:
Pushbug
Malicious campaign abusing push notifications to impact systems with malfeasant push notifications. This activity to date represents a type of social engineering, bypassing many security controls and potentially obtaining persistence by installing a service worker in the browser.
References:
Python BYOB
Python BYOB (Build Your Own Botnet) is an open-source project, that provides a library of packages and modules which provide a basic framework for testing the limits of security assets capacity for local network defense.
Note: Network security analysts should investigate similar cases to determine if such framework is authorized to run inside the organizational network.
RedGuard
RedGuard, a derivative tool, based on command and control (C2) front flow control technology. As cyber attacks are constantly evolving , the red and blue team exercises become progressively more complex, RedGuard is designed to provide a better C2 channel hiding solution for the red team, that provides the flow control for the C2 channel, blocks the "malicious" analysis traffic, and better completes the entire attack task. RedGuard is a C2 front flow control tool that can avoid Blue Team, AVS, EDR, Cyberspace Search Engine detects.
References:
RedWaren
RedWaren is CobaltStrike Malleable Redirector. RedWarden was created to solve the problem of IR/AV/EDRs/Sandboxes evasion on the C2 redirector layer.
References:
Sliver
Sliver is an open source, cross-platform adversary simulation/red team platform, it can be used by organizations of all sizes to perform security testing.
References:
SocGholish
Framework using several social engineering themes for impersonating browser updates (Chrome/Firefox), Flash Player updates, Microsoft Teams updates.
References:
Spiderlabs Responder
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. Can be used to steal various credentials.
References:
Superfish
Detection of domains and IP addresses, that are related to Lenovo laptops preinstalled adware, named as Superfish.
References:
- https://twitter.com/shaver/status/568216937181749248
- https://www.myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/
- https://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/
Supershell C2
Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel, a fully interactive shell can be obtained, and it supports multi-platform architecture payload.
References:
Viper
Viper is a graphical intranet penetration tool, which modularizes and weaponizes the tactics and technologies commonly used in the process of Intranet penetration. It integrates basic functions such as bypass anti-virus software, intranet tunnel, file management, command line and so on.
References: