Rules
Examples
Download
modified in the last month
communication/http/client
send HTTP request
[email protected]
,
[email protected]
communication/http/client
receive HTTP response
[email protected]
load-code/dotnet
get .NET assembly entry point
[email protected]
compiler/fsharp
compiled from FSharp
[email protected]
data-manipulation/encryption/aes
decrypt data using AES via .NET
[email protected]
data-manipulation/json
use .NET library Newtonsoft.Json
@johnk3r,
[email protected]
data-manipulation/hashing/sha256
hash data using SHA256
[email protected]
,
[email protected]
,
[email protected]
,
[email protected]
collection/keylog
register raw input devices
zeze-zeze,
[email protected]
collection/keylog
log keystrokes via direct input
zeze-zeze
modified in the last three months
host-interaction/file-system
use io_uring IO interface on Linux
[email protected]
host-interaction/process/terminate
terminate process
[email protected]
,
[email protected]
,
[email protected]
load-code/shellcode
execute shellcode via Windows callback function
[email protected]
,
[email protected]
,
[email protected]
host-interaction/network
enumerate TCP connections via WMI COM API
[email protected]
host-interaction/network/routing-table
create routing table entry
[email protected]
host-interaction/network/routing-table
get routing table
[email protected]
host-interaction/user
impersonate user
[email protected]
,
[email protected]
host-interaction/filter
enumerate minifilter drivers
[email protected]
,
[email protected]
linking/static/funchook
linked against Funchook
[email protected]
linking/static/plthook
linked against PLTHook
[email protected]
load-code
execute JScript via VsaEngine in .NET
[email protected]
modified in the last year
linking/static/hp-socket
linked against HP-Socket
[email protected]
,
[email protected]
linking/static/grpc
linked against gRPC
[email protected]
anti-analysis/anti-forensic
disable PowerShell transcription
[email protected]
host-interaction/powershell
bypass PowerShell Constrained Language Mode via GetSystemLockdownPolicy patch
[email protected]
communication/http
reference HTTP User-Agent string
@mr-tz,
[email protected]
linking/static/eclipse-paho-mqtt-c
linked against Eclipse Paho MQTT C
[email protected]
linking/static/qmqtt
linked against QMQTT
[email protected]
anti-analysis/anti-av
patch Antimalware Scan Interface function
[email protected]
communication/ftp
communicate using FTP
[email protected]
host-interaction/process/modify
acquire load driver privileges
[email protected]
host-interaction/process/modify
acquire debug privileges
[email protected]
anti-analysis/anti-av
patch BitDefender Hooking DLL function
[email protected]
anti-analysis/packer/dxpack
packed with DXPack
[email protected]
load-code/shellcode
create executable heap
[email protected]
anti-analysis/anti-vm/vm-detection
detect mouse movement via activity checks on Windows
[email protected]
host-interaction/network/address
get local IPv4 addresses
[email protected]
,
[email protected]
,
[email protected]
anti-analysis/anti-forensic
unload sysmon
JakePeralta7
exploitation/gadgets
resolve ntoskrnl gadgets
[email protected]
exploitation/gadgets
load ntoskrnl
[email protected]
exploitation/spraying
make suspicious NtFsControlFile call
[email protected]
exploitation/enumeration
make suspicious NtQuerySystemInformation call
[email protected]
host-interaction/filter
unload minifilter driver
JakePeralta7
host-interaction/file-system/write
clear file content
jakeperalta7
persistence/registry
persist via RDP startup programs registry key
[email protected]
persistence/registry
persist via AppCertDlls registry key
[email protected]
impact/features
disable system features via registry on Windows
[email protected]
persistence/registry
persist via Print Monitors registry key
[email protected]
persistence/registry
persist via AutodialDLL registry key
[email protected]
persistence/registry
persist via Natural Language registry key
[email protected]
persistence
persist via Print Processors registry key
[email protected]
impact/features
disable Windows Defender features via registry on Windows
[email protected]
impact/features
disable System Restore features via registry on Windows
[email protected]
collection
enumerate device drivers on Windows
@mr-tz
persistence/registry
persist via Network provider registry key
[email protected]
impact/features
disable firewall features via registry on Windows
[email protected]
persistence/registry
persist via TimeProviders registry key
[email protected]
impact/features
disable Device Guard features via registry on Windows
[email protected]
persistence/registry
persist via LSA registry key
[email protected]
persistence/registry
persist via BootVerificationProgram registry key
[email protected]
persistence/registry
persist via TS InitialProgram registry key
[email protected]
persistence/service
persist via Windows service
[email protected]
persistence/registry/run
persist via Run registry key
[email protected]
,
[email protected]
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting VirtualBox
[email protected]
anti-analysis/anti-vm/vm-detection
reference anti-VM strings
[email protected]
malware-family/donut-loader
load shellcode via donut
[email protected]
data-manipulation/encryption/chaskey
encrypt data using chaskey
[email protected]
data-manipulation/encryption/speck
encrypt data using speck
[email protected]
data-manipulation/compression
decompress data using aPLib
@r3c0nst (Frank Boldewin),
[email protected]
,
[email protected]
,
[email protected]
load-code/dotnet
load assembly via IAssembly
[email protected]
data-manipulation/encryption/des
decrypt data using TripleDES in .NET
0xRavenspar
data-manipulation/encryption/des
encrypt data using TripleDES in .NET
0xRavenspar
host-interaction/mutex
create or open mutex on Windows
[email protected]
,
[email protected]
,
[email protected]
host-interaction/mutex
check mutex on Windows
[email protected]
,
[email protected]
linking/runtime-linking
link function at runtime on Windows
[email protected]
,
[email protected]
communication/dns
reference DNS over HTTPS endpoints
[email protected]
/ @markus_neis
persistence/file-system
persist via Get-Variable hijack
[email protected]
persistence/file-system
persist via ErrorHandler script
[email protected]
persistence/file-system
persist via PowerShell profile
[email protected]
persistence/registry
persist via .NET DbgManagedDebugger registry key
[email protected]
persistence/file-system
persist via Windows Terminal Profile
[email protected]
persistence/file-system
persist via Windows accessibility tools
[email protected]
persistence/service
persist via rc script
[email protected]
anti-analysis/anti-av
check for sandbox and av modules
@_re_fox
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting VirtualPC
[email protected]
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting VMWare
[email protected]
, @johnk3r
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting Xen
[email protected]
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting Parallels
[email protected]
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting Qemu
[email protected]
host-interaction/driver
disable driver code integrity
[email protected]
host-interaction/process/inject
allocate or change RWX memory
@mr-tz,
[email protected]
host-interaction/bootloader
manipulate boot configuration
[email protected]
host-interaction/gui/window/find
find graphical window
[email protected]
host-interaction/gui/taskbar/find
find taskbar
[email protected]
communication/socket/tcp
create TCP socket
[email protected]
,
[email protected]
,
[email protected]
,
[email protected]
communication/socket/udp/send
create UDP socket
[email protected]
,
[email protected]
,
[email protected]
host-interaction/process/modify
enter debug mode in .NET
@v1bh475u
anti-analysis/anti-forensic/clear-logs
clear Windows event logs remotely
[email protected]
communication/socket
connect socket
[email protected]
,
[email protected]
,
[email protected]
communication/socket/udp
connect UDP socket
[email protected]
communication/socket/tcp
connect TCP socket
[email protected]
,
[email protected]
,
[email protected]
host-interaction/process/list
enumerate processes on remote desktop session host
[email protected]
,
[email protected]
communication/http/server
receive HTTP request
[email protected]
write process memory
[email protected]
host-interaction/process/create
create process suspended
[email protected]
,
[email protected]
anti-analysis/anti-forensic/clear-logs
clear Windows event logs
[email protected]
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via mutex
@_re_fox
host-interaction/mutex
check mutex and terminate process on Windows
@_re_fox,
[email protected]
,
[email protected]
host-interaction/registry
change registry key timestamp
[email protected]
host-interaction/process/inject
inject APC
[email protected]
,
[email protected]
persistence/registry
persist via ContextMenuHandlers registry key
[email protected]
persistence/registry
persist via Windows Error Reporting registry key
[email protected]
persistence/registry
persist via Command Processor registry key
[email protected]
persistence/registry
persist via hhctrl COM hijack
[email protected]
persistence/registry
persist via App paths registry key
[email protected]
persistence/registry
persist via SilentProcessExit registry key
[email protected]
persistence/registry
persist via Image File Execution Options registry key
[email protected]
persistence/registry
persist via COM hijack
[email protected]
persistence/registry
persist via Netsh registry key
[email protected]
persistence/registry
persist via AeDebug registry key
[email protected]
persistence/registry
persist via COR_PROFILER_PATH registry value
[email protected]
persistence/screensaver
persist via screensaver registry key
[email protected]
persistence/registry
persist via HtmlHelp Author registry key
[email protected]
persistence/registry
persist via Explorer tools registry key
[email protected]
persistence/registry
persist via Disk Cleanup Handler registry key
[email protected]
persistence/registry
persist via TelemetryController registry key
[email protected]
persistence/registry
persist via Group Policy registry key
[email protected]
persistence/registry
persist via AutoplayHandlers registry key
[email protected]
persistence/registry
persist via PATH registry key
[email protected]
persistence/registry
persist via UserInitMprLogonScript registry value
[email protected]
persistence/registry
persist via Code signing registry key
[email protected]
persistence/registry
persist via Filter Handlers registry key
[email protected]
persistence/registry
persist via default file association registry key
[email protected]
persistence
persist via application shimming
[email protected]
persistence/registry
persist via AppX registry key
[email protected]
persistence/registry
persist via DOTNET_STARTUP_HOOKS registry key
[email protected]
persistence/registry
persist via AMSI registry key
[email protected]
persistence/scheduled-tasks
schedule task via schtasks
[email protected]
,
[email protected]
persistence/registry
persist via Active Setup registry key
[email protected]
persistence/registry/appinitdlls
persist via AppInit_DLLs registry key
[email protected]
persistence/registry/winlogon-helper
persist via Winlogon Helper DLL registry key
[email protected]
,
[email protected]
persistence/registry/ginadll
persist via GinaDLL registry key
[email protected]
anti-analysis/anti-vm/vm-detection
check for sandbox username or hostname
@_re_fox,
[email protected]
internal/limitation/dynamic
(internal) .NET file limitation
@v1bh475u
internal/limitation/static
(internal) .NET single file deployment limitation
[email protected]
internal/limitation/static
(internal) packer file limitation
[email protected]
internal/limitation/static
(internal) installer file limitation
[email protected]
internal/limitation/static
(internal) autohotkey file limitation
@mr-tz
internal/limitation/static
(internal) Visual Basic file limitation
@mr-tz
internal/limitation/static
(internal) autoit file limitation
[email protected]
allocate memory
[email protected]
, @mr-tz
change memory protection
@mr-tz
anti-analysis/anti-debugging/debugger-evasion
hide thread from debugger
[email protected]
,
[email protected]
data-manipulation/encryption/dpapi
encrypt data using DPAPI
[email protected]
,
[email protected]
data-manipulation/encryption/rc4
encrypt data using RC4 via SystemFunction033
[email protected]
data-manipulation/encryption/rc4
encrypt data using RC4 via SystemFunction032
[email protected]
data-manipulation/prng
generate random numbers via RtlGenRandom
[email protected]
,
[email protected]
host-interaction/file-system/windows-file-protection
bypass Windows File Protection
[email protected]
load-code/dotnet
load Windows Common Language Runtime
[email protected]
,
[email protected]
,
[email protected]
linking/runtime-linking
link many functions at runtime
[email protected]
,
[email protected]
create or open file
[email protected]
,
[email protected]
communication/c2/file-transfer
upload file to OneDrive
[email protected]
,
[email protected]
communication/http/client
send file via HTTP
[email protected]
communication/http/client
connect to URL
[email protected]
impact/inhibit-system-recovery
resize volume shadow copy storage
[email protected]
host-interaction/hardware/storage
unmount volume via IOCTL
[email protected]
host-interaction/process/modify
modify access privileges
[email protected]
host-interaction/driver
interact with driver via IOCTL
[email protected]
host-interaction/file-system/write
write file on Linux
[email protected]
,
[email protected]
anti-analysis/anti-forensic/self-deletion
self delete
[email protected]
, @mr-tz
targeting/language
identify system language via API
[email protected]
targeting/automated-teller-machine/ncr
reference NCR ATM library routines
[email protected]
malware-family/plugx
match known PlugX module
[email protected]
collection
get geographical location
moritz.raabe,
[email protected]
collection
acquire credentials from Windows Credential Manager
[email protected]
collection/browser
gather firefox profile information
@_re_fox,
[email protected]
collection/network
capture packets using SharpPcap
[email protected]
collection/network
get domain trust relationships
johnk3r
collection/network
get MAC address on Windows
[email protected]
,
[email protected]
,
[email protected]
collection/network
capture network configuration via ipconfig
@_re_fox
collection/network
capture public ip
@_re_fox,
[email protected]
collection/webcam
capture webcam image
johnk3r
collection/keylog
log keystrokes
[email protected]
collection/screenshot
capture screenshot
[email protected]
, @_re_fox,
[email protected]
collection/screenshot
capture screenshot via keybd event
@_re_fox
collection/database/wmi
reference WMI statements
[email protected]
collection/database/sql
reference SQL statements
[email protected]
collection/file-managers
gather directory-opus information
@_re_fox
collection/file-managers
gather ftpgetter information
@_re_fox
collection/file-managers
gather ftpinfo information
@_re_fox
collection/file-managers
gather ftp-explorer information
@_re_fox
collection/file-managers
gather freshftp information
@_re_fox
collection/file-managers
gather turbo-ftp information
@_re_fox
collection/file-managers
gather securefx information
@_re_fox
collection/file-managers
gather xftp information
@_re_fox
collection/file-managers
gather total-commander information
@_re_fox
collection/file-managers
gather cuteftp information
@_re_fox
collection/file-managers
gather robo-ftp information
@_re_fox
collection/file-managers
gather 3d-ftp information
@_re_fox
collection/file-managers
gather ftpnow information
@_re_fox
collection/file-managers
gather blazeftp information
@_re_fox
collection/file-managers
gather faststone-browser information
@_re_fox
collection/file-managers
gather ftp-voyager information
@_re_fox
collection/file-managers
gather smart-ftp information
@_re_fox
collection/file-managers
gather ws-ftp information
@_re_fox
collection/file-managers
gather nexusfile information
@_re_fox
collection/file-managers
gather global-downloader information
@_re_fox
collection/file-managers
gather alftp information
@_re_fox
collection/file-managers
gather ultrafxp information
@_re_fox
collection/file-managers
gather nova-ftp information
@_re_fox
collection/file-managers
gather cyberduck information
@_re_fox
collection/file-managers
gather winzip information
@_re_fox
collection/file-managers
gather netdrive information
@_re_fox
collection/file-managers
gather coreftp information
@_re_fox
collection/file-managers
gather classicftp information
@_re_fox
collection/file-managers
gather leapftp information
@_re_fox
collection/file-managers
gather flashfxp information
@_re_fox
collection/file-managers
gather winscp information
@_re_fox
collection/file-managers
gather softx-ftp information
@_re_fox
collection/file-managers
gather goftp information
@_re_fox
collection/file-managers
gather staff-ftp information
@_re_fox
collection/file-managers
gather expandrive information
@_re_fox
collection/file-managers
gather bulletproof-ftp information
@_re_fox
collection/file-managers
gather ftprush information
@_re_fox
collection/file-managers
gather direct-ftp information
@_re_fox
collection/file-managers
gather wise-ftp information
@_re_fox
collection/file-managers
gather bitkinex information
@_re_fox
collection/file-managers
gather fling-ftp information
@_re_fox
collection/file-managers
gather southriver-webdrive information
@_re_fox
collection/file-managers
gather fasttrack-ftp information
@_re_fox
collection/file-managers
gather ffftp information
@_re_fox
collection/file-managers
gather ftpshell information
@_re_fox
collection/file-managers
gather frigate3 information
@_re_fox
collection/file-managers
gather ftp-commander information
@_re_fox
collection/file-managers
gather filezilla information
@_re_fox
collection/group-policy
discover Group Policy via gpresult
[email protected]
collection/microphone
capture microphone audio
@_re_fox
create or open section object
[email protected]
communication
send data
[email protected]
,
[email protected]
communication
receive data
[email protected]
communication/socket
create VMCI socket
[email protected]
communication/socket/tcp/send
send TCP data via WFP API
[email protected]
communication/ftp/send
send file using FTP
[email protected]
,
[email protected]
communication/icmp
send ICMP echo request
[email protected]
communication/mailslot
read from mailslot
[email protected]
communication/mailslot
create mailslot
[email protected]
communication/named-pipe/write
write pipe
[email protected]
,
[email protected]
communication/named-pipe/create
create two anonymous pipes
[email protected]
communication/named-pipe/read
read pipe
[email protected]
,
[email protected]
communication/tcp/serve
start TCP server
[email protected]
,
[email protected]
communication/tcp/client
act as TCP client
[email protected]
,
[email protected]
communication/c2/shell
create reverse shell
[email protected]
communication/c2/shell
execute shell command received from socket on Linux
[email protected]
communication/c2/shell
create reverse shell on Linux
[email protected]
communication/c2/shell
execute shell command and capture output
[email protected]
communication/c2/file-transfer
download and write a file
[email protected]
communication/c2/file-transfer
write and execute a file
[email protected]
communication/http
set HTTP header
[email protected]
,
[email protected]
communication/http/server
start HTTP server
[email protected]
,
[email protected]
communication/http/client
create HTTP request
[email protected]
,
[email protected]
communication/http/client
connect to HTTP server
[email protected]
communication/http/client
decompress HTTP response via IEncodingFilterFactory
[email protected]
communication/http/client
read data from Internet
[email protected]
,
[email protected]
linking/runtime-linking
resolve function by FNV-1a hash
[email protected]
host-interaction/container/docker
create container
[email protected]
host-interaction/registry
query or enumerate registry key via StdRegProv
[email protected]
communication/dns
reference Comodo Secure DNS server
[email protected]
data-manipulation/hashing
initialize hashing via WinCrypt
[email protected]
data-manipulation/encryption
encrypt or decrypt data via BCrypt
[email protected]
communication/dns
reference Quad9 DNS server
[email protected]
communication/dns
reference L3 DNS server
[email protected]
host-interaction/process/inject
add value to global atom table
@mr-tz
linking/hooking
hook routines via microsoft detours
[email protected]
communication/http
connect network resource
[email protected]
host-interaction/wmi
create process via WMI in .NET
[email protected]
host-interaction/bootloader
enable safe mode boot
[email protected]
collection/webcam
capture webcam video
@johnk3r
host-interaction/internet/cache
enumerate internet cache
[email protected]
load-code/dotnet/csharp
compile CSharp in .NET
[email protected]
communication/dns
reference kornet DNS server
[email protected]
data-manipulation/hashing
hash data via BCrypt
[email protected]
communication/c2/file-transfer
receive and write data from server to client
[email protected]
host-interaction/network/proxy
get proxy
[email protected]
host-interaction/container/docker
run in container
[email protected]
data-manipulation/hashing/ripemd256
hash data using RIPEMD256
[email protected]
linking/runtime-linking
resolve function by hash
[email protected]
host-interaction/os/version
get OS information via KUSER_SHARED_DATA
@mr-tz
host-interaction/os/info
get system information on Linux
[email protected]
,
[email protected]
communication/http/client
make an HTTP request with a Cookie
[email protected]
host-interaction/session
get session information
[email protected]
host-interaction/file-system/files/list
enumerate files in .NET
[email protected]
,
[email protected]
host-interaction/hardware/storage
enumerate disk volumes
[email protected]
host-interaction/wmi
access WMI data in .NET
[email protected]
anti-analysis
load packed DEX via Jiagu on Android
[email protected]
runtime/dotnet
unmanaged call via dynamic PInvoke in .NET
[email protected]
host-interaction/process
enumerate processes that use resource
@Ana06
host-interaction/process
read process memory
[email protected]
, @_re_fox,
[email protected]
data-manipulation/encryption/salsa20
encrypt data using Salsa20 or ChaCha
[email protected]
anti-analysis/anti-debugging
destroy software breakpoint capability
[email protected]
communication/dns
reference Hurricane Electric DNS server
[email protected]
host-interaction/process/terminate
terminate process by name in .NET
[email protected]
host-interaction/thread
set thread name on Linux
[email protected]
host-interaction/registry
query or enumerate registry value via StdRegProv
[email protected]
communication/dns
reference Verisign DNS server
[email protected]
host-interaction/session
get token privileges
[email protected]
host-interaction/container/docker
list containers
[email protected]
communication/http/client
send data to Internet
[email protected]
anti-analysis/anti-vm/vm-detection
check license value
[email protected]
host-interaction/clipboard
list drag and drop files
[email protected]
host-interaction/gui
display service notification message box
[email protected]
linking/hooking
hook routines via LSPlant
[email protected]
data-manipulation/hashing/ripemd320
hash data using RIPEMD320
[email protected]
host-interaction/internet/cache
delete internet cache
[email protected]
host-interaction/hardware/storage
get storage device properties
[email protected]
host-interaction/uac/bypass
bypass UAC via scheduled task environment variable
[email protected]
anti-analysis/anti-vm/vm-detection
check for windows sandbox via subdirectory
[email protected]
host-interaction/bypass
modify API blacklist or denylist via JNI on Android
[email protected]
host-interation/process
get current process command line
[email protected]
host-interaction/process
get process image filename
[email protected]
communication/dns
reference OpenDNS DNS server
[email protected]
host-interaction/log/clfs/append
append data to CLFS log container
[email protected]
load-code/dotnet/vb
compile Visual Basic in .NET
[email protected]
collection/credentials
prompt user for credentials
[email protected]
communication/http/client
send request in .NET
[email protected]
data-manipulation/database/sql
execute SQLite statement in .NET
[email protected]
host-interaction/registry
create registry key via StdRegProv
[email protected]
collection
collect ssh keys
[email protected]
host-interaction/network
enumerate network shares
[email protected]
collection
enumerate device drivers on Linux
@mr-tz
host-interaction/registry
delete registry value via StdRegProv
[email protected]
host-interaction/gui/window-station
migrate process to active window station
[email protected]
collection/network
get MAC address in .NET
[email protected]
,
[email protected]
,
[email protected]
data-manipulation/hashing/sha512
hash data using SHA512Managed in .NET
[email protected]
host-interaction/process/list
enumerate processes via procfs
[email protected]
linking/runtime-linking
link function at runtime on Linux
[email protected]
collection/network
get MAC address on Linux
[email protected]
host-interaction/container/docker
build Docker image
[email protected]
host-interaction/registry
set registry value via StdRegProv
[email protected]
communication/c2/file-transfer
read and send data from client to server
[email protected]
collection/keylog
log keystrokes via Input Method Manager
@mr-tz
host-interaction/registry
delete registry key via StdRegProv
[email protected]
communication/dns
reference 114DNS DNS server
[email protected]
host-interaction/bypass
bypass hidden API restrictions via JNI on Android
[email protected]
data-manipulation/hashing/sha1
hash data using SHA1 via WinCrypt
[email protected]
communication/dns
reference Cloudflare DNS server
[email protected]
communication/dns
reference Google Public DNS server
[email protected]
data-manipulation/encryption
get client handle via SChannel
[email protected]
persistence
persist via GNOME autostart on Linux
[email protected]
communication/http
send HTTP request with Host header
[email protected]
anti-analysis/anti-debugging/debugger-detection
check for process debug object
[email protected]
communication/dns
reference AliDNS DNS server
[email protected]
linking/runtime-linking
resolve function by djb2 hash
[email protected]
impact/inhibit-system-recovery
delete volume shadow copies
[email protected]
impact/wipe-disk/wipe-mbr
overwrite Master Boot Record (MBR)
[email protected]
executable/resource
extract resource via kernel32 functions
[email protected]
executable/resource
access .NET resource
@mr-tz
persistence
persist via .desktop autostart
[email protected]
persistence
persist via shell profile or rc file
[email protected]
persistence/startup-folder
write file to startup folder
[email protected]
,
[email protected]
persistence/registry/appinitdlls
disable AppInit_DLLs code signature enforcement
[email protected]
persistence/exchange
act as Exchange transport agent
[email protected]
anti-analysis/anti-emulation/wine
check if process is running under wine
@_re_fox
anti-analysis/anti-debugging/debugger-detection
check for time delay via QueryPerformanceCounter
[email protected]
anti-analysis/anti-debugging/debugger-detection
check for OutputDebugString error
[email protected]
anti-analysis/anti-debugging/debugger-detection
check for protected handle exception
[email protected]
anti-analysis/anti-debugging/debugger-detection
check process job object
[email protected]
anti-analysis/anti-forensic
crash the Windows event logging service
[email protected]
anti-analysis/anti-forensic
impersonate file version information
[email protected]
anti-analysis/anti-forensic/timestomp
timestomp file
[email protected]
anti-analysis/anti-forensic/self-deletion
self delete using alternate data streams
[email protected]
anti-analysis/anti-av
patch Event Tracing for Windows function
[email protected]
anti-analysis/anti-av
overwrite DLL .text section to remove hooks
[email protected]
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via registry
@_re_fox
anti-analysis/anti-vm/vm-detection
detect VM via motherboard hardware WMI queries
[email protected]
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via process name
@_re_fox
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via genuine state
@_re_fox
anti-analysis/anti-vm/vm-detection
check for microsoft office emulation
@_re_fox
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via device
@_re_fox
anti-analysis/anti-vm/vm-detection
detect VM via disk hardware WMI queries
[email protected]
compiler/perl2exe
compiled with perl2exe
@_re_fox
data-manipulation/encryption
encrypt data using memfrob from glibc
[email protected]
data-manipulation/encryption
import public key
[email protected]
data-manipulation/encryption
encrypt or decrypt via WinCrypt
[email protected]
data-manipulation/encryption/rsa
reference public RSA key
[email protected]
data-manipulation/encryption/rc6
encrypt data using RC6
[email protected]
data-manipulation/encryption/aes
encrypt data using AES via WinAPI
[email protected]
data-manipulation/encryption/des
encrypt data using DES via WinAPI
@_re_fox
data-manipulation/encryption/rc4
encrypt data using RC4 via WinAPI
[email protected]
data-manipulation/prng
generate random numbers via WinAPI
[email protected]
, johnk3r
data-manipulation/prng/mersenne
generate random numbers using a Mersenne Twister
[email protected]
data-manipulation/compression
compress data via WinAPI
[email protected]
data-manipulation/compression
create Cabinet on Windows
[email protected]
,
[email protected]
data-manipulation/compression
extract Cabinet on Windows
[email protected]
data-manipulation/compression
compress data using LZO
[email protected]
,
[email protected]
data-manipulation/hashing
hash data via WinCrypt
[email protected]
data-manipulation/hashing/sha1
hash data using SHA1
[email protected]
,
[email protected]
,
[email protected]
data-manipulation/hashing/md5
hash data with MD5
[email protected]
,
[email protected]
,
[email protected]
data-manipulation/hashing/sha384
hash data using SHA384
[email protected]
data-manipulation/hashing/sha224
hash data using SHA224
[email protected]
data-manipulation/hashing/sha512
hash data using SHA512
[email protected]
host-interaction/process
map section object
[email protected]
host-interaction/process/inject
use process replacement
[email protected]
host-interaction/process/inject
hijack thread execution
[email protected]
,
[email protected]
host-interaction/process/inject
inject shellcode using a file mapping object
[email protected]
host-interaction/process/inject
free user process memory
[email protected]
host-interaction/process/inject
inject thread
[email protected]
,
[email protected]
host-interaction/process/inject
inject shellcode using extra window memory
[email protected]
host-interaction/process/inject
inject shellcode using window subclass procedure
[email protected]
host-interaction/process/inject
allocate user process RWX memory
[email protected]
host-interaction/process/inject
attach user process memory
[email protected]
host-interaction/process/inject
inject dll
[email protected]
host-interaction/process/list
get Explorer PID
[email protected]
host-interaction/process/list
find process by PID
[email protected]
,
[email protected]
host-interaction/process/list
enumerate processes
[email protected]
,
[email protected]
host-interaction/process/modules/list
enumerate process modules
[email protected]
,
[email protected]
host-interaction/driver
complete processing asynchronous IO request
[email protected]
host-interaction/driver
create device object
@mr-tz
host-interaction/uac/bypass
bypass UAC via token manipulation
[email protected]
,
[email protected]
host-interaction/uac/bypass
bypass UAC via ICMLuaUtil
[email protected]
host-interaction/uac/bypass
bypass UAC via RPC
[email protected]
,
[email protected]
host-interaction/uac/bypass
bypass UAC via AppInfo ALPC
[email protected]
host-interaction/network/interface
get networking interfaces
[email protected]
,
[email protected]
,
[email protected]
host-interaction/network/connectivity
set TCP connection state
@johnk3r
host-interaction/network/traffic/filter
enumerate network filters via WFP API
[email protected]
host-interaction/network/domain
get domain controller name
[email protected]
host-interaction/network/domain
enumerate domain computers via LDAP
[email protected]
host-interaction/os/info
get system information on Windows
[email protected]
,
[email protected]
host-interaction/os/version
get Linux distribution
[email protected]
host-interaction/os/version
get kernel version
[email protected]
host-interaction/service
continue service
@mr-tz
host-interaction/service
pause service
@mr-tz
host-interaction/service/modify
modify service
[email protected]
host-interaction/service/delete
delete service
[email protected]
host-interaction/service/start
start service
[email protected]
host-interaction/service/stop
stop service
[email protected]
host-interaction/service/create
create service
[email protected]
host-interaction/file-system
bypass Mark of the Web
[email protected]
host-interaction/file-system
create virtual file system in .NET
[email protected]
host-interaction/file-system/meta
get file version info
[email protected]
,
[email protected]
host-interaction/file-system/delete
delete file
[email protected]
,
[email protected]
host-interaction/file-system/files/list
enumerate files on Windows
[email protected]
,
[email protected]
host-interaction/file-system/files/list
enumerate files on Linux
[email protected]
host-interaction/file-system/read
read virtual disk
@_re_fox
host-interaction/file-system/read
read file via mapping
[email protected]
host-interaction/file-system/read
read .ini file
@_re_fox,
[email protected]
host-interaction/file-system/read
read file on Windows
[email protected]
,
[email protected]
host-interaction/file-system/read
read file on Linux
[email protected]
host-interaction/registry
set registry key via offline registry library
johnk3r
host-interaction/registry
query or enumerate registry key
[email protected]
host-interaction/registry
query or enumerate registry value
[email protected]
,
[email protected]
,
[email protected]
host-interaction/registry/delete
delete registry key
[email protected]
,
[email protected]
, johnk3r
host-interaction/registry/delete
delete registry value
[email protected]
,
[email protected]
host-interaction/session
get logon sessions
[email protected]
host-interaction/session
get session user name
[email protected]
,
[email protected]
host-interaction/session
get current user on Linux
[email protected]
host-interaction/session
get token membership
[email protected]
host-interaction/session
get session integrity level
[email protected]
,
[email protected]
host-interaction/bootloader
manipulate safe mode programs
[email protected]
host-interaction/bootloader
disable code signing
[email protected]
host-interaction/mutex
unlock semaphore on Linux
@ramen0x3f
host-interaction/mutex
create semaphore on Linux
@ramen0x3f
host-interaction/mutex
lock semaphore on Linux
@ramen0x3f
host-interaction/firewall/modify
access firewall rule properties via INetFwRule
[email protected]
host-interaction/firewall/modify
access firewall policy via INetFwPolicy2
[email protected]
host-interaction/hardware/cdrom
manipulate CD-ROM drive
[email protected]
host-interaction/hardware/storage
get disk size
[email protected]
,
[email protected]
host-interaction/hardware/keyboard
simulate CTRL ALT DEL
[email protected]
, johnk3r
host-interaction/hardware/keyboard
get keyboard layout
[email protected]
host-interaction/hardware/cpu
get number of processor cores
[email protected]
host-interaction/hardware/cpu
get CPU information
[email protected]
,
[email protected]
host-interaction/hardware/memory
get memory information
[email protected]
host-interaction/thread/tls
set thread local storage value
[email protected]
host-interaction/thread/list
enumerate threads
[email protected]
host-interaction/thread/create
create thread
[email protected]
,
[email protected]
,
[email protected]
,
[email protected]
host-interaction/console
manipulate console buffer
[email protected]
,
[email protected]
host-interaction/log/clfs/read
read data from CLFS log container
[email protected]
host-interaction/environment-variable
get COMSPEC environment variable
[email protected]
host-interaction/gui
switch active desktop
[email protected]
host-interaction/gui/session/lock
lock the desktop
[email protected]
host-interaction/gui/logon
references logon banner
@_re_fox
host-interaction/gui/window/get-text
get graphical window text
[email protected]
host-interaction/gui/taskbar/hide
hide the Windows taskbar
[email protected]
host-interaction/clipboard
write clipboard data
[email protected]
,
[email protected]
host-interaction/clipboard
read clipboard data
[email protected]
,
[email protected]
host-interaction/clipboard
open clipboard
[email protected]
load-code/powershell/
run PowerShell expression
[email protected]
load-code/shellcode
execute shellcode via Windows fibers
[email protected]
load-code/shellcode
execute shellcode via CopyFile2
[email protected]
load-code/shellcode
execute shellcode via CreateThreadpoolWait
[email protected]
load-code/shellcode
spawn thread to RWX shellcode
[email protected]
load-code/pe
inspect section memory permissions
@Ana06
load-code/pe
access PE header
[email protected]
communication/socket/tcp
create TCP socket via raw AFD driver
[email protected]
persistence/office
act as Office COM add-in
[email protected]
data-manipulation/encryption/rsa
decrypt data using RSA via WinAPI
[email protected]
data-manipulation/encryption/rsa
encrypt data using RSA via WinAPI
[email protected]
data-manipulation/encryption
use bigint function
Ana06
data-manipulation/encryption/rsa
encrypt data using RSA via embedded library
Ana06
host-interaction/process/create
execute shell command via Windows Remote Management
[email protected]
persistence/scheduled-tasks
schedule task via at
joren485
persistence/file-system
write to browser extension directory
[email protected]
persistence/file-system
persist via iphlpapi DLL hijack
[email protected]
persistence/file-system
persist via lnk shortcut
[email protected]
anti-analysis/anti-av
block operations on executable memory pages using Arbitrary Code Guard
[email protected]
linking/static/touchsocket
linked against TouchSocket
[email protected]
runtime/dotnet
compiled with .NET AoT
[email protected]
persistence
persist via BITS job
[email protected]
host-interaction/wmi
connect to WMI namespace via WbemLocator
[email protected]
older
collection
get Steam token
[email protected]
collection/browser
get elevation service for Chromium-based browsers
[email protected]
collection/browser
get Chrome CookieMonster
[email protected]
host-interaction/file-system/write
write file on Windows
[email protected]
,
[email protected]
host-interaction/file-system/copy
copy file
[email protected]
,
[email protected]
host-interaction/file-system/move
move file
[email protected]
,
[email protected]
host-interaction/registry/create
set registry value
[email protected]
,
[email protected]
host-interaction/file-system/write
set shadow password file entry on Linux
[email protected]
collection
get shadow password file entry on Linux
[email protected]
host-interaction/session
get password database entry on Linux
[email protected]
,
[email protected]
data-manipulation/encryption
create new key via CryptAcquireContext
[email protected]
host-interaction/process
get process filename
[email protected]
linking/runtime-linking
access PEB ldr_data
[email protected]
anti-analysis/anti-vm/vm-detection
check for unmoving mouse cursor
BitsOfBinary
host-interaction/registry
open RecentDocs registry key
[email protected]
anti-analysis/packer/nmm-protect
packed with nmm-protect
[email protected]
host-interaction/os
hide shutdown actions via policy
[email protected]
linking/runtime-linking
populate SysWhispers2 syscall list
[email protected]
anti-analysis
execute syscall
@kulinacs, @mr-tz,
[email protected]
,
[email protected]
host-interaction/ui/automation
implement UI automation client in .NET
[email protected]
host-interaction/com
access unmanaged COM objects in .NET
[email protected]
host-interaction/wsh
interact with Windows Scripting Host in .NET
[email protected]
host-interaction/shortcut
interact with shortcut via IWshShortcut in .NET
[email protected]
data-manipulation/json
use .NET library SimpleJSON
[email protected]
communication/websocket
use .NET library websocket-sharp
[email protected]
check thread suspend count exceeded
[email protected]
create thread bypassing process freeze
[email protected]
host-interaction/network/traffic/filter
delete network filter via WFP API
[email protected]
linking/static/sqlite3
linked against SQLCipher
[email protected]
host-interaction/hardware/firmware
get system firmware table
[email protected]
linking/static/minhook
linked against MinHook
[email protected]
calculate modulo 256 via x86 assembly
[email protected]
host-interaction/file-system/delete
delete file on Linux
[email protected]
host-interaction/log/debug/write-event
print debug messages
[email protected]
data-manipulation/encoding/base64
decode data using Base64 via VBMI lookup table
[email protected]
communication/socket
attach BPF to socket on Linux
[email protected]
load-code/dotnet
invoke .NET assembly method
[email protected]
,
[email protected]
data-manipulation/encryption/hc-128
encrypt data using HC-128 via WolfSSL
[email protected]
host-interation/process
get current process filesystem mounts on Linux
[email protected]
host-interation/process
get current process memory mapping on Linux
[email protected]
host-interation/process
get system property on Android
[email protected]
host-interaction/file-system/truncate
truncate file on Linux
[email protected]
host-interaction/process/create
create process on Linux
[email protected]
,
[email protected]
collection/keylog
log keystrokes via application hook
[email protected]
host-interaction/gui
set application hook
[email protected]
compiler/dart
compiled with Dart
[email protected]
host-interaction/gui/window/hide
hide graphical window from taskbar
[email protected]
persistence
act as Time Provider DLL
[email protected]
anti-analysis/anti-emulation/android
check if process is running under Android emulator on Android
[email protected]
host-interaction/memory
change memory permission on Linux
[email protected]
host-interaction/memory
map or unmap memory on Linux
[email protected]
host-interaction/file-system
check file permission on Linux
[email protected]
host-interaction/file-system
change file permission on Linux
[email protected]
,
[email protected]
persistence
act as Share Provider DLL
[email protected]
persistence
act as WinDbg extension
[email protected]
compiler/go
compiled with Go
[email protected]
communication/socket
initialize Winsock library
[email protected]
communication/socket
get socket status
[email protected]
communication/socket
set socket configuration
[email protected]
communication/socket
create raw socket
[email protected]
communication/socket/receive
receive data on socket
[email protected]
,
[email protected]
,
[email protected]
communication/socket/send
send data on socket
[email protected]
,
[email protected]
,
[email protected]
communication/dns
resolve DNS
[email protected]
, johnk3r,
[email protected]
,
[email protected]
communication/socket
get socket information
[email protected]
delay execution
[email protected]
, @ramen0x3f
duplicate stdin and stdout
[email protected]
host-interaction/process
get current PID on Linux
[email protected]
host-interaction/file-system/files/list
enumerate files recursively
@_re_fox,
[email protected]
host-interaction/mutex
lock file
[email protected]
host-interaction/hardware/storage
get volume information via IOCTL
[email protected]
host-interaction/hardware/storage
get disk information via IOCTL
[email protected]
impact/wipe-disk
delete drive layout via IOCTL
[email protected]
host-interaction/driver
unload driver
[email protected]
host-interaction/driver
install driver
[email protected]
host-interaction/process/inject
process ghostly hollowing
[email protected]
linking/hooking
hook routines via dlsym RTLD_NEXT
[email protected]
host-interation/process
get current process file path
[email protected]
host-interaction/hardware
enumerate devices by category
@mr-tz
host-interaction/thread/tls
allocate thread local storage
[email protected]
anti-analysis
reference analysis tools strings
[email protected]
allocate or change RW memory
[email protected]
, @mr-tz
anti-analysis/anti-debugging/debugger-detection
check for debugger via API
[email protected]
,
[email protected]
create File Compression Interface context on Windows
[email protected]
create File Decompression Interface context on Windows
[email protected]
collection/microphone
capture microphone audio in .NET on Android
[email protected]
host-interaction/hardware/camera
access camera in .NET on Android
[email protected]
host-interaction/os/info
get OS version in .NET on Android
[email protected]
compiler/xamarin
compiled with Xamarin
[email protected]
host-interaction
check for incoming call in .NET on Android
[email protected]
collection/screenshot
capture screenshot in .NET on Android
[email protected]
host-interaction
check for outgoing call in .NET on Android
[email protected]
executable/dotnet-singlefile
bundled with .NET single-file deployment
[email protected]
data-manipulation/encoding
encode data using ADD XOR SUB operations
[email protected]
host-interaction/file-system/exists
check if file exists
[email protected]
,
[email protected]
collection/credit-card
parse credit card information
@_re_fox
validate payment card number using luhn algorithm with lookup table
@_re_fox
data-manipulation/encoding/base58
reference Base58 string
[email protected]
anti-analysis
inspect load icon resource
[email protected]
executable/pe
implement COM DLL
[email protected]
persistence
act as DNS server plugin DLL
[email protected]
persistence
act as DHCP server callout DLL
[email protected]
persistence/authentication-process
act as credential manager DLL
[email protected]
persistence/authentication-process
act as password filter DLL
[email protected]
persistence/authentication-process
act as Security Support Provider DLL
[email protected]
persistence/authentication-process
act as SubAuthentication Package DLL
[email protected]
persistence
persist via IIS module
[email protected]
persistence
persist via ISAPI extension
[email protected]
persistence/office
act as Excel XLL add-in
[email protected]
persistence/office
act as Word WLL add-in
[email protected]
compiler/vb
compiled from Visual Basic
@williballenthin
host-interaction/service
run as service
[email protected]
,
[email protected]
load-code/pe
enumerate PE sections
@Ana06, @mr-tz
linking/runtime-linking
resolve function by Brute Ratel Badger hash
[email protected]
linking/runtime-linking
resolve function by FIN8 fasthash
@r3c0nst (Frank Boldewin)
anti-analysis/anti-vm/vm-detection
check for sandbox via MAC address OUIs in .NET
[email protected]
data-manipulation/hashing/ripemd128
hash data using RIPEMD128
[email protected]
data-manipulation/compression
decompress data using QuickLZ
[email protected]
open thread
[email protected]
create or open registry key
[email protected]
,
[email protected]
open process
[email protected]
get OS version
@mr-tz
communication/ip
convert IP address from string
@mr-tz
communication/http
get HTTP content length
[email protected]
communication/http/client
get HTTP response content encoding
[email protected]
collection/network
list TCP connections and listeners
[email protected]
host-interaction/file-system
get file system information on Linux
[email protected]
host-interaction/kernel
communicate with kernel module via Netlink socket on Linux
[email protected]
host-interaction/accounts
add user account to group
[email protected]
data-manipulation/compression
extract zip archive in .NET
[email protected]
,
[email protected]
host-interaction/accounts
change user account password
[email protected]
data-manipulation/encryption
encrypt data via SSPI
[email protected]
runtime
unmanaged call
[email protected]
impact/inhibit-system-recovery
delete Windows backup catalog
[email protected]
host-interaction/accounts
list user accounts for group
[email protected]
communication/rpc/server
listen for remote procedure calls
[email protected]
host-interaction/accounts
add user account
[email protected]
host-interaction/network/address
monitor local IPv4 address changes
[email protected]
data-manipulation/encryption
get remote cert context via SChannel
[email protected]
data-manipulation/encryption
get inbound credentials handle via CredSSP
[email protected]
host-interaction/thread
mark thread detached on Linux
[email protected]
anti-analysis/anti-debugging/debugger-detection
check SystemKernelDebuggerInformation
[email protected]
data-manipulation/compression
create zip archive in .NET
[email protected]
communication/http
parse URL
[email protected]
host-interaction/domain
list domain servers
[email protected]
data-manipulation/encryption
decrypt data via SSPI
[email protected]
host-interaction/accounts
delete user account
[email protected]
host-interaction/accounts
delete user account from group
[email protected]
collection/network
capture network configuration via ifconfig
[email protected]
host-interaction/accounts
list groups for user account
[email protected]
anti-analysis/anti-debugging/debugger-detection
check ProcessDebugFlags
[email protected]
host-interaction/sid
compare security identifiers
[email protected]
collection/network
list UDP connections and listeners
[email protected]
communication/http/server
register HTTP server URL
[email protected]
impact/inhibit-system-recovery
disable automatic Windows recovery features
[email protected]
host-interaction/firewall
interact with iptables
[email protected]
host-interaction/accounts
add user account group
[email protected]
host-interaction/accounts
list user account groups
[email protected]
host-interaction/accounts
delete user account group
[email protected]
host-interaction/hardware/monitor
power down monitor
[email protected]
host-interaction/gui
set global application hook
[email protected]
communication/http
get HTTP request URI
[email protected]
communication
query remote server for available data
[email protected]
host-interaction/clipboard
monitor clipboard content
[email protected]
data-manipulation/hashing/md4
hash data using MD4
[email protected]
host-interaction/accounts
list user accounts
[email protected]
persistence/startup-folder
get startup folder
[email protected]
anti-analysis/packer/generic
packed with generic packer
[email protected]
anti-analysis/anti-debugging/debugger-detection
check for unexpected memory writes
[email protected]
anti-analysis/anti-debugging/debugger-detection
check ProcessDebugPort
[email protected]
anti-analysis/obfuscation/string/stackstring
contain obfuscated stackstrings
[email protected]
anti-analysis/anti-forensic
spoof parent PID
[email protected]
anti-analysis/anti-av
protect spawned processes with mitigation policies
[email protected]
compiler/py2exe
compiled with py2exe
@_re_fox
data-manipulation/encryption
get outbound credentials handle via CredSSP
[email protected]
data-manipulation/checksum/luhn
validate payment card number using luhn algorithm
@_re_fox
data-manipulation/encoding/base64
encode data using Base64
[email protected]
,
[email protected]
,
[email protected]
data-manipulation/encoding/base64
encode data using Base64 via WinAPI
[email protected]
data-manipulation/encoding/base64
decode data using Base64 via WinAPI
[email protected]
host-interaction/process
get process heap force flags
[email protected]
host-interaction/process
get process heap flags
[email protected]
host-interaction/process/dump
create process memory minidump
[email protected]
host-interaction/process/terminate
terminate process via kill
[email protected]
host-interaction/process/list
enumerate processes via NtQuerySystemInformation
@_re_fox
host-interaction/process/create
create process on Windows
[email protected]
host-interaction/file-system
get Windows directory from KUSER_SHARED_DATA
[email protected]
host-interaction/file-system
get Program Files directory
[email protected]
host-interaction/file-system
reference absolute stream path on Windows
[email protected]
,
[email protected]
host-interaction/file-system
get file system object information
[email protected]
host-interaction/file-system/meta
set file attributes
[email protected]
,
[email protected]
,
[email protected]
host-interaction/file-system/meta
get file attributes
[email protected]
,
[email protected]
host-interaction/cli
resolve path using msvcrt
@_re_fox
host-interaction/session
get user security identifier
[email protected]
host-interaction/thread/terminate
terminate thread
[email protected]
,
[email protected]
,
[email protected]
host-interaction/thread/resume
resume thread
[email protected]
,
[email protected]
host-interaction/thread/suspend
suspend thread
[email protected]
,
[email protected]
host-interaction/filter
register minifilter driver
[email protected]
host-interaction/filter
start minifilter driver
[email protected]
host-interaction/gui/session
change the wallpaper
@_re_fox
host-interaction/gui/window/hide
hide graphical window
[email protected]
targeting/automated-teller-machine
identify ATM dispenser service provider
[email protected]
targeting/automated-teller-machine/ncr
load NCR ATM library
[email protected]
targeting/automated-teller-machine/diebold-nixdorf
reference Diebold ATM routines
[email protected]
targeting/automated-teller-machine/diebold-nixdorf
load Diebold Nixdorf ATM library
[email protected]
linking/runtime-linking
get ntdll base address
[email protected]
linking/runtime-linking
get kernel32 base address
[email protected]
linking/static
linked against CPP standard library
@mr-tz
linking/static/wolfssl
linked against wolfSSL
[email protected]
linking/static/aplib
linked against aPLib
[email protected]
linking/static/openssl
linked against OpenSSL
[email protected]
,
[email protected]
linking/static/cryptopp
linked against Crypto++
[email protected]
linking/static/zlib
linked against ZLIB
[email protected]
linking/static/libcurl
linked against libcurl
[email protected]
linking/static/msdetours
linked against Microsoft Detours
[email protected]
linking/static/wolfcrypt
linked against wolfCrypt
[email protected]
linking/static/sqlite3
linked against CppSQLite3
[email protected]
linking/static/sqlite3
linked against sqlite3
[email protected]
linking/static/polarssl
linked against PolarSSL/mbed TLS
[email protected]
collection
use .NET library SharpClipboard
@johnk3r
collection/browser
gather chrome based browser login information
@_re_fox,
[email protected]
collection/keylog
log keystrokes via polling
[email protected]
collection/password-manager
steal KeePass passwords using KeeFarce
@Ana06
PEB access
[email protected]
validate payment card number using luhn algorithm with no lookup table
@_re_fox
contain loop
[email protected]
get service handle
[email protected]
contain pusha popa sequence
[email protected]
communication/socket/tcp/send
obtain TransmitPackets callback function via WSAIoctl
[email protected]
communication/named-pipe/connect
connect pipe
[email protected]
,
[email protected]
communication/named-pipe/create
create pipe
[email protected]
,
[email protected]
communication/http
read HTTP header
[email protected]
,
[email protected]
communication/http
initialize WinHTTP library
[email protected]
communication/http
initialize IWebBrowser2
[email protected]
communication/http/server
send HTTP response
[email protected]
communication/http/client
extract HTTP body
[email protected]
communication/http/client
check HTTP status code
@mr-tz
communication/http/client
download URL
[email protected]
,
[email protected]
,
[email protected]
communication/http/client
get HTTP document via IWebBrowser2
[email protected]
communication/http/client
create BITS job
@mr-tz
communication/http/client
prepare HTTP request
[email protected]
runtime/dotnet
execute via .NET startup hook
[email protected]
runtime/dotnet
compiled to the .NET platform
[email protected]
host-interaction/process/dump
capture process snapshot data
@mr-tz
data-manipulation/hashing/rshash
hash data using rshash
@_re_fox
executable/pe/section/tls
contain a thread local storage (.tls) section in .NET
[email protected]
compiler/exescript
compiled with ExeScript
[email protected]
data-manipulation/encoding/xor
covertly decode and write data to Windows directory using indirect calls
[email protected]
load-code/dotnet
load .NET assembly
[email protected]
host-interaction/file-system
enumerate drives
[email protected]
data-manipulation/encryption
encrypt data using FAKEM cipher
[email protected]
data-manipulation/compression
compress data using GZip in .NET
[email protected]
anti-analysis/anti-vm/vm-detection
check for minimum number of windows on screen
[email protected]
anti-analysis/obfuscation
obfuscated with KoiVM
[email protected]
anti-analysis/anti-debugging/debugger-detection
check thread yield allowed
[email protected]
host-interaction/process/terminate
terminate process by name
[email protected]
load-code/dotnet
generate method via reflection in .NET
[email protected]
anti-analysis/packer/perplex
packed with Perplex
[email protected]
linking/static/crypto
linked against libsodium
@mr-tz
collection/screenshot
capture screenshot in Go
[email protected]
host-interaction/browser/history/list
enumerate browser history
[email protected]
load-code/shellcode
execute shellcode via indirect call
[email protected]
data-manipulation/prng
generate random numbers in .NET
[email protected]
,
[email protected]
executable/installer/nsis
packaged as a NSIS installer
[email protected]
host-interaction/console
manipulate console window
[email protected]
compiler/epl
compiled from EPL
[email protected]
host-interaction/clipboard
check clipboard data
[email protected]
anti-analysis/packer/seausfx
packed with SeauSFX
[email protected]
anti-analysis/anti-vm/vm-detection
reference the VMWare IO port
[email protected]
collection/credit-card
search for credit card data
[email protected]
executable/imprec
rebuilt by ImpRec
[email protected]
executable/installer/wiseinstall
packaged as a Wise installer
[email protected]
executable/pintool
packaged as a Pintool
[email protected]
anti-analysis/packer/maskpe
packed with MaskPE
[email protected]
host-interaction/registry
linked against Go registry library
[email protected]
data-manipulation/encryption/dsa
encrypt data using OpenSSL DSA
Ana06
anti-analysis/packer/rpcrypt
packed with RPCrypt
[email protected]
host-interaction/recycle-bin
empty the recycle bin
[email protected]
linking/static/xzip
linked against XZip
[email protected]
data-manipulation/hashing/sha1
hash data using sha1 via x86 extensions
@_re_fox
persistence/startup-folder
reference startup folder
[email protected]
executable/pe/debug
debug build
[email protected]
data-manipulation/hashing/sha256
hash data using sha256 via x86 extensions
@_re_fox
anti-analysis/packer/vprotect
packed with VProtect
[email protected]
data-manipulation/encryption/ecdsa
encrypt data using OpenSSL ECDSA
Ana06
linking/static/httplib
linked against CPP HTTP library
@mr-tz
anti-analysis/packer/crunch
packed with Crunch
[email protected]
anti-analysis/packer/ccg
packed with CCG
[email protected]
anti-analysis/packer/procrypt
packed with ProCrypt
[email protected]
host-interaction/network
get networking parameters
[email protected]
data-manipulation/prng
generate random bytes in .NET
[email protected]
host-interaction/file-system
check file extension in .NET
[email protected]
executable/resource
linked against Go static asset library
[email protected]
persistence/scheduled-tasks
schedule task via ITaskService
[email protected]
collection/database/wmi
linked against Go WMI library
[email protected]
data-manipulation/hashing/aphash
hash data using aphash
@_re_fox
anti-analysis/packer/mpress
packed with Mpress
[email protected]
load-code/dotnet
execute .NET assembly
[email protected]
collection
save image in .NET
[email protected]
host-interaction/process/list
find process by name
[email protected]
executable/hooked/api-override
hooked by API Override
[email protected]
host-interaction/os/version
get OS version in .NET
[email protected]
host-interaction/file-system
generate random filename in .NET
[email protected]
host-interaction/clipboard
clear clipboard data
[email protected]
data-manipulation/encoding/url
decode data using URL encoding
[email protected]
communication/sms
send SMS on Android
@mr-tz
data-manipulation/regex
find data using regex in .NET
[email protected]
anti-analysis/packer/mew
packed with MEW
[email protected]
data-manipulation/encryption/aes
encrypt data using AES via x86 extensions
[email protected]
host-interaction/process
get thread local storage value
[email protected]
communication/http
get system web proxy
[email protected]
host-interaction/thread/timer
execute via timer in .NET
[email protected]
data-manipulation/encryption/aes
encrypt data using AES
[email protected]
, Ivan Kwiatkowski (@JusticeRage)
host-interaction/process
create Restart Manager session
[email protected]
data-manipulation/json
deserialize JSON in .NET
[email protected]
executable/installer/installshield
packaged as an InstallShield installer
[email protected]
anti-analysis/packer/svkp
packed with SVKP
[email protected]
data-manipulation/hashing/jshash
hash data using jshash
@_re_fox
host-interaction/file-system
read raw disk data
[email protected]
data-manipulation/xml
load XML in .NET
[email protected]
host-interaction/thread/task
execute via asynchronous task in .NET
[email protected]
data-manipulation/prng/lcg
generate random numbers using the Delphi LCG
[email protected]
host-interaction/user
manipulate user privileges
[email protected]
anti-analysis/packer/tsuloader
packed with TSULoader
[email protected]
host-interaction/hardware/firmware
enumerate system firmware tables
[email protected]
anti-analysis/packer/wwpack
packed with WWPACK
[email protected]
data-manipulation/encryption/aes
reference AES constants
[email protected]
anti-analysis/anti-vm/vm-detection
check for VM using instruction VPCEXT
[email protected]
anti-analysis/packer/starforce
packed with StarForce
[email protected]
linking/static/cppregex
linked against CPP regex library
[email protected]
data-manipulation/hashing/md5
authenticate data with MD5-MAC
[email protected]
host-interaction/registry
delete registry key via offline registry library
johnk3r
host-interaction/memory
manipulate unmanaged memory in .NET
[email protected]
host-interaction/file-system/move
move directory
[email protected]
anti-analysis/packer/pepack
packed with Pepack
[email protected]
host-interaction/memory
allocate unmanaged memory in .NET
[email protected]
communication/http
set HTTP User-Agent in .NET
[email protected]
anti-analysis/packer/epack
packed with Epack
[email protected]
impact/cryptocurrency
reference cryptocurrency strings
[email protected]
load-code/pe
enumerate PE sections in .NET
@mr-tz
data-manipulation/hashing/murmur
hash data using murmur2
[email protected]
linking/static/jsoncpp
linked against CPP JSON library
@mr-tz
host-interaction/file-system/exists
check if directory exists
[email protected]
collection/keylog
log keystrokes via raw input data
[email protected]
data-manipulation/json
serialize JSON in .NET
[email protected]
data-manipulation/checksum/crc32
hash data using CRC32b
[email protected]
anti-analysis/packer/neolite
packed with Neolite
[email protected]
communication/http
set HTTP cookie
[email protected]
,
[email protected]
communication/smtp/send
send email in .NET
[email protected]
executable/installer/createinstall
packaged as a CreateInstall installer
[email protected]
data-manipulation/encoding/base64
decode data using Base64 in .NET
[email protected]
linking/runtime-linking
get ntoskrnl base address
@mr-tz
communication/http
set web proxy in .NET
[email protected]
load-code/dotnet
compile .NET assembly
[email protected]
anti-analysis/packer/simple-pack
packed with Simple Pack
[email protected]
anti-analysis/packer/dragon-armor
packed with Dragon Armor
[email protected]
runtime
mixed mode
[email protected]
host-interaction/file-system
set current directory
[email protected]
host-interaction/hardware/keyboard
send keystrokes
[email protected]
data-manipulation/hashing/whirlpool
hash data using Whirlpool
[email protected]
anti-analysis/anti-vm/vm-detection
reference processor manufacturer constants
[email protected]
anti-analysis/packer/shrinker
packed with Shrinker
[email protected]
host-interaction/process/list
linked against Go process enumeration library
[email protected]
data-manipulation/encryption/rsa
encrypt data using OpenSSL RSA
Ana06
executable/installer/winzip
packaged as a WinZip self-extracting archive
[email protected]
anti-analysis/packer/enigma
packed with enigma
[email protected]
communication/authentication
manipulate network credentials in .NET
[email protected]
executable/subfile/pe
contain an embedded PE file
[email protected]
executable/resource
embed dependencies as resources using Fody/Costura
@johnk3r, @mr-tz
executable/pe/section/tls
contain a thread local storage (.tls) section
[email protected]
executable/pe/export
forwarded export
[email protected]
executable/pe/pdb
contains PDB path
[email protected]
executable/installer/inno-setup
packaged as an Inno Setup installer
[email protected]
executable/installer/iexpress
packaged as an IExpress self-extracting archive
[email protected]
executable/dotnet-singlefile
packaged as single-file .NET application
[email protected]
persistence
create shortcut via IShellLink
[email protected]
persistence/scheduled-tasks
schedule task via ITaskScheduler
[email protected]
anti-analysis/anti-disasm
contain anti-disasm techniques
[email protected]
anti-analysis/anti-disasm
64-bit execution via heavens gate
[email protected]
anti-analysis/packer/upack
packed with upack
@_re_fox
anti-analysis/packer/vmprotect
packed with VMProtect
[email protected]
anti-analysis/packer/peshield
packed with peshield
@_re_fox
anti-analysis/packer/nspack
packed with nspack
@_re_fox
anti-analysis/packer/rlpack
packed with rlpack
@_re_fox
anti-analysis/packer/gopacker
packed with GoPacker
[email protected]
anti-analysis/packer/pelocknt
packed with pelocknt
@_re_fox
anti-analysis/packer/upx
packed with UPX
[email protected]
anti-analysis/packer/themida
packed with Themida
[email protected]
anti-analysis/packer/pecompact
packed with PECompact
[email protected]
anti-analysis/packer/aspack
packed with ASPack
[email protected]
anti-analysis/packer/pebundle
packed with pebundle
@_re_fox
anti-analysis/packer/petite
packed with petite
@_re_fox
anti-analysis/packer/confuser
packed with Confuser
[email protected]
anti-analysis/packer/kkrunchy
packed with kkrunchy
@_re_fox
anti-analysis/packer/amber
packed with amber
[email protected]
anti-analysis/packer/y0da
packed with y0da crypter
@_re_fox
anti-analysis/packer/pespin
packed with PESpin
[email protected]
anti-analysis/packer/huan
packed with Huan
[email protected]
anti-analysis/anti-debugging/debugger-detection
check for trap flag exception
[email protected]
anti-analysis/anti-debugging/debugger-detection
check for kernel debugger via shared user data structure
[email protected]
anti-analysis/anti-debugging/debugger-detection
check for PEB NtGlobalFlag flag
[email protected]
anti-analysis/anti-debugging/debugger-detection
check for software breakpoints
[email protected]
anti-analysis/anti-debugging/debugger-detection
check for time delay via GetTickCount
[email protected]
anti-analysis/anti-debugging/debugger-detection
execute anti-debugging instructions
[email protected]
anti-analysis/anti-debugging/debugger-detection
check for hardware breakpoints
[email protected]
anti-analysis/anti-debugging/debugger-detection
check for PEB BeingDebugged flag
[email protected]
anti-analysis/obfuscation
obfuscated with Yano
[email protected]
anti-analysis/obfuscation
obfuscated with Spices.Net Obfuscator
[email protected]
anti-analysis/obfuscation
obfuscated with vs-obfuscation
[email protected]
anti-analysis/obfuscation
obfuscated with Dotfuscator
[email protected]
anti-analysis/obfuscation
obfuscated with ADVobfuscator
[email protected]
anti-analysis/obfuscation
obfuscated with SmartAssembly
[email protected]
anti-analysis/obfuscation
obfuscated with callobfuscator
johnk3r
anti-analysis/obfuscation
obfuscated with Babel Obfuscator
[email protected]
anti-analysis/obfuscation
obfuscated with DeepSea Obfuscator
[email protected]
anti-analysis/anti-forensic
patch process command line
[email protected]
, @_re_fox
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via dns suffix
@_re_fox
anti-analysis/anti-vm/vm-detection
check for foreground window switch
[email protected]
compiler/pyarmor
compiled with pyarmor
@stvemillertime, @itreallynick
compiler/rust
compiled with rust
@_re_fox,
[email protected]
compiler/v
compiled with V
[email protected]
compiler/cx_freeze
compiled with cx_Freeze
@mr-tz,
[email protected]
compiler/exe4j
compiled with exe4j
johnk3r
compiler/zig
compiled with Zig
[email protected]
compiler/delphi
compiled with Borland Delphi
[email protected]
, @mr-tz
compiler/autoit
compiled with AutoIt
[email protected]
compiler/nuitka
compiled with nuitka
@williballenthin, @mr-tz
compiler/d
compiled with dmd
@_re_fox
compiler/nim
compiled with Nim
[email protected]
compiler/autohotkey
compiled with AutoHotKey
[email protected]
compiler/ps2exe
compiled with ps2exe
@_re_fox,
[email protected]
compiler/mingw
compiled with MinGW for Windows
[email protected]
data-manipulation/svg
use .NET library SharpVectors
@johnk3r
data-manipulation/encryption/twofish
encrypt data using twofish
@_re_fox
data-manipulation/encryption/skipjack
encrypt data using skipjack
@_re_fox
data-manipulation/encryption/elliptic-curve
encrypt data using Curve25519
[email protected]
data-manipulation/encryption/hc-128
encrypt data using HC-128
[email protected]
data-manipulation/encryption/tea
decrypt data using TEA
[email protected]
,
[email protected]
data-manipulation/encryption/tea
encrypt data using TEA
[email protected]
,
[email protected]
data-manipulation/encryption/xxtea
encrypt data using XXTEA
[email protected]
data-manipulation/encryption/camellia
encrypt data using Camellia
@_re_fox
data-manipulation/encryption/sosemanuk
encrypt data using Sosemanuk
[email protected]
data-manipulation/encryption/xtea
encrypt data using XTEA
[email protected]
data-manipulation/encryption/aes
encrypt data using AES via .NET
[email protected]
data-manipulation/encryption/aes
use .NET library EncryptDecryptUtils
@johnk3r
data-manipulation/encryption/aes
manually build AES constants
[email protected]
data-manipulation/encryption/aes
encrypt data using AES MixColumns step
@mr-tz
data-manipulation/encryption/aes
decrypt data using AES via x86 extensions
[email protected]
data-manipulation/encryption/blowfish
encrypt data using blowfish
@_re_fox
data-manipulation/encryption/vest
encrypt data using vest
@_re_fox
data-manipulation/encryption/des
encrypt data using DES
@_re_fox,
[email protected]
data-manipulation/encryption/rc4
encrypt data using RC4 PRGA
[email protected]
data-manipulation/encryption/rc4
encrypt data using RC4 with custom key via WinAPI
[email protected]
data-manipulation/encryption/rc4
encrypt data using RC4 KSA
[email protected]
data-manipulation/checksum/adler32
compute adler32 checksum
[email protected]
data-manipulation/checksum/crc32
hash data with CRC32
[email protected]
data-manipulation/compression
compress data via ZLIB inflate or deflate
[email protected]
data-manipulation/compression
decompress data using LZO
[email protected]
,
[email protected]
data-manipulation/compression
decompress data using UCL
[email protected]
data-manipulation/compression
decompress data via IEncodingFilterFactory
[email protected]
data-manipulation/hmac
authenticate HMAC
[email protected]
data-manipulation/hashing/tiger
hash data using tiger
@_re_fox
data-manipulation/hashing/murmur
hash data using murmur3
[email protected]
data-manipulation/hashing/fnv
hash data using fnv
[email protected]
, @_re_fox,
[email protected]
data-manipulation/hashing/djb2
hash data using djb2
[email protected]
,
[email protected]
data-manipulation/encoding/base64
decode data using Base64 via dword translation table
[email protected]
,
[email protected]
data-manipulation/encoding/base64
reference Base64 string
[email protected]
data-manipulation/encoding/xor
encode data using XOR
[email protected]
host-interaction/process/inject
use process Doppelgänging
[email protected]
host-interaction/process/inject
inject pe
[email protected]
host-interaction/process/create
execute command
@mr-tz
host-interaction/process/create
create a process with modified I/O handles and window
[email protected]
,
[email protected]
host-interaction/network/connectivity
check Internet connectivity via WinINet
[email protected]
,
[email protected]
host-interaction/network/traffic/filter
register network filter via WFP API
[email protected]
host-interaction/network/traffic/copy
copy network traffic
[email protected]
host-interaction/network/domain
get domain information
[email protected]
,
[email protected]
,
[email protected]
host-interaction/os
shutdown system
[email protected]
host-interaction/os/hostname
get hostname
[email protected]
,
[email protected]
,
[email protected]
host-interaction/os/version
check OS version
[email protected]
, johnk3r
host-interaction/service
query service status
[email protected]
host-interaction/service
query service configuration
@mr-tz
host-interaction/service/list
enumerate services
[email protected]
,
[email protected]
host-interaction/file-system
get common file path
[email protected]
,
[email protected]
,
[email protected]
host-interaction/file-system/meta
get file size
[email protected]
,
[email protected]
host-interaction/file-system/delete
delete directory
[email protected]
,
[email protected]
host-interaction/file-system/create
create directory
[email protected]
,
[email protected]
host-interaction/cli
accept command line arguments
[email protected]
,
[email protected]
host-interaction/registry
open registry key via offline registry library
johnk3r
host-interaction/registry
query registry key via offline registry library
johnk3r
host-interaction/registry
create registry key via offline registry library
johnk3r
host-interaction/bootloader
set UEFI variable
[email protected]
host-interaction/bootloader
get UEFI variable
[email protected]
host-interaction/firewall/modify
access firewall settings via INetFwMgr
[email protected]
host-interaction/hardware/storage
get disk information
[email protected]
,
[email protected]
host-interaction/hardware/storage
enumerate disk properties
[email protected]
host-interaction/hardware/mouse
swap mouse buttons
[email protected]
host-interaction/hardware/cpu
get number of processors
[email protected]
,
[email protected]
host-interaction/hardware/memory
get memory capacity
[email protected]
host-interaction/software
get installed programs
[email protected]
, @_re_fox
host-interaction/recycle-bin
empty recycle bin quietly
[email protected]
host-interaction/log/winevt/access
access the Windows event log
[email protected]
host-interaction/environment-variable
set environment variable
[email protected]
host-interaction/environment-variable
query environment variable
[email protected]
, @_re_fox
host-interaction/gui
enumerate gui resources
johnk3r,
[email protected]
host-interaction/gui/console
set console window title
[email protected]
host-interaction/memory
create new application domain in .NET
[email protected]
load-code
execute VBScript Javascript or JScript in memory
[email protected]
load-code/pe
rebuild import table
@Ana06
load-code/pe
parse PE header
[email protected]
load-code/pe
resolve function by parsing PE exports
sara-rn
load-code/pe
inject DLL reflectively
@Ana06
