Update windows_suspicious_services.csv

nterl0k · web-flow · commit fb4a5ea9f4be · 2025-02-19T15:29:33.000-05:00
nas comments
diff --git a/lookups/windows_suspicious_services.csv b/lookups/windows_suspicious_services.csv
@@ -35,7 +35,6 @@ GetProcHandle,,GetProcHandle,Privilege Escalation,offensive_tool,critical,PoCs t
 GoodSync Server,,goodync,Data Exfiltration,greyware_tool,high,,https://www.goodsync.com/
 InjectLibrary,,InjectLibrary,Defense Evasion,offensive_tool,critical,PoCs to perform DLL injection with Kernel APC Injection method - InjectLibrary,https://github.com/daem0nc0re/VectorKernel/blob/main/InjectLibrary/README.md
 KrbSCM,,KrbRelayUp,Privilege Escalation,offensive_tool,critical,https://github.com/Dec0ne/KrbRelayUp/blob/e919f78afbacdb2c2e86f17267674069a377011c/README.md?plain=1#L90,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/KrbRelayUp.csv
-KrbSCM,,S4UTomato,Privilege Escalation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/S4UTomato.csv
 MagnetRAMCapture Driver,,MAGNET RAM Capture,Credential Access,greyware_tool,critical,,https://startupstash.com/tools/magnet-ram-capture/
 maint,,impacketremoteshell,Lateral Movement,offensive_tool,high,default service name installed https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/impacketremoteshell/RemoteMaint/main.cpp#L108,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/impacketremoteshell.csv
 MakeMeAdmin,,MakeMeAdmin,Privilege Escalation,offensive_tool,high,Enables users to elevate themselves to administrator-level rights https://github.com/pseymour/MakeMeAdmin/blob/18ea04be3dbc6e7cab8096558a3b02ef8f8682f6/Service/ProjectInstaller.Designer.cs#L63,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/MakeMeAdmin.csv
@@ -45,7 +44,6 @@ ModHide,,ModHide,Defense Evasion,offensive_tool,critical,PoCs to hide loaded ker
 Neo_VPN,*\System32\drivers\Neo6_x64_VPN.sys,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv
 NoRebootSvc,NoReboot.exe,PSBits NoReboot.c,,offensive_tool,high,,https://github.com/gtworek/PSBits/blob/master/NoRebootSvc/readme.md
 Npcap Packet Driver (NPCAP),,NpCap Windows Packet Capture Library & Driver,Collection,greyware_tool,low,,https://github.com/nmap/npcap
-OpenSSH SSH Server,,OpenSSH Server,C2,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv
 PAExec,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv
 PAExec-*,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv
 PCHunter*,,PCHunter,Defense Evasion,greyware_tool,medium,PCHunter service name installation - https://www.majorgeeks.com/files/details/pc_hunter.html,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PCHunter.csv
@@ -55,7 +53,6 @@ PPLBlade,,pplblade,Defense Evasion,offensive_tool,critical,,https://github.com/m
 ProcExp,,DriverDump,Persistence,offensive_tool,critical,This program configures and loads a Windows service to manage a driver https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/driverdump/DriverDump/DriverDump.c#L45,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DriverDump.csv
 ProcHide,,ProcHide,Defense Evasion,offensive_tool,critical,PoCs to hide process with DKOM method - ProcHide,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcHide/README.md
 ProcProtect,,ProcProtect,Defense Evasion,offensive_tool,critical,PoCs to manipulate Protected Process - ProcProtect,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcProtect/README.md
-PSEXESVC,*PSEXESVC.exe*,psexec,Lateral Movement,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv
 pwdump*,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/pwdump.csv
 PWDumpX Service,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PWDumpX.csv
 QueryModule,,QueryModule,Collection,offensive_tool,medium,PoCs to perform retrieving kernel driver loaded address information - QueryModule,https://github.com/daem0nc0re/VectorKernel/blob/main/QueryModule/README.md
@@ -71,7 +68,6 @@ shadowsocks-local-service,,Shadowsocks,C2,greyware_tool,high,https://github.com/
 SilkService,,SilkETW,Discovery,greyware_tool,low,C# wrappers for ETW - meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection,https://github.com/mandiant/SilkETW
 sliver*,,sliver,C2,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/sliver.csv
 SoftEther VPN*,,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv
-sshd,,OpenSSH Server,C2,greyware_tool,high,https://github.com/PowerShell/openssh-portable/blob/661803c9ec4d7dee6574eb6ff0c85b2b7006edb1/contrib/win32/openssh/install-sshd.ps1#L137C1-L138C1,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv
 StealToken,,StealToken,Credential Access,offensive_tool,critical,PoCs to perform token stealing from kernelmode - StealToken,https://github.com/daem0nc0re/VectorKernel/blob/main/CreateToken/README.md
 svcEasySystem,,p0wnedShell,Privilege Escalation,offensive_tool,critical,https://github.com/Cn33liz/p0wnedShell/blob/35853bcc2a184f0e0fa7b18b0e54d4ad7a985ed6/p0wnedShell/Modules/PrivEsc/p0wnedEasySystem.cs#L582C33-L582C46,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/p0wnedShell.csv
 svcHighPriv,,EasySystem,Privilege Escalation,offensive_tool,critical,https://github.com/S3cur3Th1sSh1t/Creds/blob/f71e780c51fdc2fdabe4e51831fa6289b1bede96/Csharp/NamedPipeSystem.cs#L28,https://github.com/mthcht/awesome-lists
@@ -85,11 +81,4 @@ winexesvc,,winexe,Lateral Movement,greyware_tool,low,https://www.kali.org/tools/
 WinPwnage,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/persist/persistMethod12.py#L24,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv
 WinPwnageVPN,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/uac/uacMethod13.py#L54,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv
 WinRing0_*,,xmrig,Cryptomining,greyware_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xmrig.csv
-wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed with the tool no_defender https://github.com/es3n1n/no-defender - subject to false positives if avast is installed,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/no_defender.csv	
-,*\tmp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists
-,*\Temp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists
-,*\Users\Public\*,suspicious path,Defense Evasions,greyware_tool,critical,suspicious paths,https://github.com/mthcht/awesome-lists
-,*%COMSPEC%*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
-,*cmd.exe*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
-,*echo*\pipe\*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
-,\\127.0.0.1\ADMIN$\*,cobaltstrike beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
+wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed with the tool no_defender https://github.com/es3n1n/no-defender - subject to false positives if avast is installed,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/no_defender.csv
