correction

mthcht · Jan 7, 2025 · 926a20c · 926a20c
1 parent 892faef
commit 926a20c
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 8 deletions.
diff --git a/greyware_tool_keyword.csv b/greyware_tool_keyword.csv
@@ -9669,8 +9669,8 @@
 "*Find-LocalAdminAccess -Verbose*",".{0,1000}Find\-LocalAdminAccess\s\-Verbose.{0,1000}","greyware_tool_keyword","powershell","Find machine where the user has admin privs","T1069.002 - T1087.002 - T1018","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A"
 "*findstr *cpassword *\sysvol\*.xml*",".{0,1000}findstr\s.{0,1000}cpassword\s.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers - gpp finder","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
 "*findstr *vnc.ini*",".{0,1000}findstr\s.{0,1000}vnc\.ini.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
-"*findstr /S cpassword $env:*\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr ","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
-"*findstr /S cpassword %*%\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr ","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*findstr /S cpassword $env:*\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*findstr /S cpassword %*%\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*findstr /si secret *.docx*",".{0,1000}findstr\s\/si\ssecret\s.{0,1000}\.docx.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
 "*firewall add allowedprogram *vncviewer.exe* ENABLE ALL*",".{0,1000}firewall\sadd\sallowedprogram\s.{0,1000}vncviewer\.exe.{0,1000}\sENABLE\sALL.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*firewall add allowedprogram *winvnc.exe* ENABLE ALL*",".{0,1000}firewall\sadd\sallowedprogram\s.{0,1000}winvnc\.exe.{0,1000}\sENABLE\sALL.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"

diff --git a/greyware_tool_keyword_endpoint_detection.csv b/greyware_tool_keyword_endpoint_detection.csv
@@ -9661,8 +9661,8 @@
 "*Find-LocalAdminAccess -Verbose*",".{0,1000}Find\-LocalAdminAccess\s\-Verbose.{0,1000}","greyware_tool_keyword","powershell","Find machine where the user has admin privs","T1069.002 - T1087.002 - T1018","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A"
 "*findstr *cpassword *\sysvol\*.xml*",".{0,1000}findstr\s.{0,1000}cpassword\s.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers - gpp finder","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
 "*findstr *vnc.ini*",".{0,1000}findstr\s.{0,1000}vnc\.ini.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
-"*findstr /S cpassword $env:*\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr ","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
-"*findstr /S cpassword %*%\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr ","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*findstr /S cpassword $env:*\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*findstr /S cpassword %*%\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*findstr /si secret *.docx*",".{0,1000}findstr\s\/si\ssecret\s.{0,1000}\.docx.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
 "*firewall add allowedprogram *vncviewer.exe* ENABLE ALL*",".{0,1000}firewall\sadd\sallowedprogram\s.{0,1000}vncviewer\.exe.{0,1000}\sENABLE\sALL.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*firewall add allowedprogram *winvnc.exe* ENABLE ALL*",".{0,1000}firewall\sadd\sallowedprogram\s.{0,1000}winvnc\.exe.{0,1000}\sENABLE\sALL.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"