From 926a20c28f852f5dcf0ce456b1ad597ceee28fbc Mon Sep 17 00:00:00 2001
From: mthcht <mathieuchotplassot@gmail.com>
Date: Tue, 7 Jan 2025 18:23:04 +0100
Subject: [PATCH] correction

---
 greyware_tool_keyword.csv                    | 4 ++--
 greyware_tool_keyword_endpoint_detection.csv | 4 ++--
 threathunting-keywords.csv                   | 8 ++++----
 tools/D-F/findstr.csv                        | 2 ++
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/greyware_tool_keyword.csv b/greyware_tool_keyword.csv
index cad7f00d7..9d368d109 100644
--- a/greyware_tool_keyword.csv
+++ b/greyware_tool_keyword.csv
@@ -9669,8 +9669,8 @@
 "*Find-LocalAdminAccess -Verbose*",".{0,1000}Find\-LocalAdminAccess\s\-Verbose.{0,1000}","greyware_tool_keyword","powershell","Find machine where the user has admin privs","T1069.002 - T1087.002 - T1018","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A"
 "*findstr *cpassword *\sysvol\*.xml*",".{0,1000}findstr\s.{0,1000}cpassword\s.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers - gpp finder","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
 "*findstr *vnc.ini*",".{0,1000}findstr\s.{0,1000}vnc\.ini.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
-"*findstr /S cpassword $env:*\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr ","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
-"*findstr /S cpassword %*%\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr ","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*findstr /S cpassword $env:*\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*findstr /S cpassword %*%\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*findstr /si secret *.docx*",".{0,1000}findstr\s\/si\ssecret\s.{0,1000}\.docx.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
 "*firewall add allowedprogram *vncviewer.exe* ENABLE ALL*",".{0,1000}firewall\sadd\sallowedprogram\s.{0,1000}vncviewer\.exe.{0,1000}\sENABLE\sALL.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*firewall add allowedprogram *winvnc.exe* ENABLE ALL*",".{0,1000}firewall\sadd\sallowedprogram\s.{0,1000}winvnc\.exe.{0,1000}\sENABLE\sALL.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
diff --git a/greyware_tool_keyword_endpoint_detection.csv b/greyware_tool_keyword_endpoint_detection.csv
index 8df281239..ada3428d6 100644
--- a/greyware_tool_keyword_endpoint_detection.csv
+++ b/greyware_tool_keyword_endpoint_detection.csv
@@ -9661,8 +9661,8 @@
 "*Find-LocalAdminAccess -Verbose*",".{0,1000}Find\-LocalAdminAccess\s\-Verbose.{0,1000}","greyware_tool_keyword","powershell","Find machine where the user has admin privs","T1069.002 - T1087.002 - T1018","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A"
 "*findstr *cpassword *\sysvol\*.xml*",".{0,1000}findstr\s.{0,1000}cpassword\s.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers - gpp finder","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
 "*findstr *vnc.ini*",".{0,1000}findstr\s.{0,1000}vnc\.ini.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
-"*findstr /S cpassword $env:*\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr ","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
-"*findstr /S cpassword %*%\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr ","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*findstr /S cpassword $env:*\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*findstr /S cpassword %*%\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*findstr /si secret *.docx*",".{0,1000}findstr\s\/si\ssecret\s.{0,1000}\.docx.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
 "*firewall add allowedprogram *vncviewer.exe* ENABLE ALL*",".{0,1000}firewall\sadd\sallowedprogram\s.{0,1000}vncviewer\.exe.{0,1000}\sENABLE\sALL.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*firewall add allowedprogram *winvnc.exe* ENABLE ALL*",".{0,1000}firewall\sadd\sallowedprogram\s.{0,1000}winvnc\.exe.{0,1000}\sENABLE\sALL.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
diff --git a/threathunting-keywords.csv b/threathunting-keywords.csv
index 5893b20ce..60069ec68 100644
--- a/threathunting-keywords.csv
+++ b/threathunting-keywords.csv
@@ -18587,7 +18587,7 @@ keyword,metadata_keyword_regex,metadata_keyword_type,metadata_tool,metadata_desc
 *\wiretap.exe*,".{0,1000}\\wiretap\.exe.{0,1000}",greyware_tool_keyword,wiretap,Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.,T1572,TA0011 - TA0003,N/A,N/A,C2,https://github.com/sandialabs/wiretap,1,0,N/A,N/A,10,9,861,38,2024-11-26T00:33:13Z,2022-11-19T00:19:05Z
 *\wiretap.log*,".{0,1000}\\wiretap\.log.{0,1000}",greyware_tool_keyword,wiretap,Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.,T1572,TA0011 - TA0003,N/A,N/A,C2,https://github.com/sandialabs/wiretap,1,0,N/A,N/A,10,9,861,38,2024-11-26T00:33:13Z,2022-11-19T00:19:05Z
 *\WizTree.exe*,".{0,1000}\\WizTree\.exe.{0,1000}",greyware_tool_keyword,wiztree,legitimate tool abused by threat actors to obtain network files and directory listings,T1083,TA0007,N/A,Fox Kitten - Faust - Bitlocker - Akira - Cactus - BlackSuit - Royal,Discovery,N/A,1,0,N/A,N/A,3,6,N/A,N/A,N/A,N/A
-*\wiztree_*_portable.zip*	,".{0,1000}\\wiztree_.{0,1000}_portable\.zip.{0,1000}	",greyware_tool_keyword,wiztree,legitimate tool abused by threat actors to obtain network files and directory listings,T1083,TA0007,N/A,Fox Kitten - Faust - Bitlocker - Akira - Cactus - BlackSuit - Royal,Discovery,N/A,1,0,N/A,N/A,3,6,N/A,N/A,N/A,N/A
+"*\wiztree_*_portable.zip*	",".{0,1000}\\wiztree_.{0,1000}_portable\.zip.{0,1000}	",greyware_tool_keyword,wiztree,legitimate tool abused by threat actors to obtain network files and directory listings,T1083,TA0007,N/A,Fox Kitten - Faust - Bitlocker - Akira - Cactus - BlackSuit - Royal,Discovery,N/A,1,0,N/A,N/A,3,6,N/A,N/A,N/A,N/A
 *\wl_log.txt*,".{0,1000}\\wl_log\.txt.{0,1000}",offensive_tool_keyword,whatlicense,WinLicense key extraction via Intel PIN,T1056 - T1056.001 - T1518 - T1518.001,TA0005 - TA0006,N/A,N/A,Exploitation tool,https://github.com/charlesnathansmith/whatlicense,1,0,N/A,N/A,6,1,79,12,2024-04-09T05:30:56Z,2023-07-10T11:57:44Z
 *\wlanpass.txt*,".{0,1000}\\wlanpass\.txt.{0,1000}",offensive_tool_keyword,RouterScan,a penetration testing tool to maliciously scan for and brute force routers - cameras and network-attached storage devices with web interfaces,T1110,TA0006 - TA0007,RouterScan,Conti,Credential Access,https://github.com/mustafashykh/router-scan,1,0,N/A,N/A,8,1,74,37,2019-02-24T14:31:16Z,2019-02-24T07:52:22Z
 *\wl-lic.exe*,".{0,1000}\\wl\-lic\.exe.{0,1000}",offensive_tool_keyword,whatlicense,WinLicense key extraction via Intel PIN,T1056 - T1056.001 - T1518 - T1518.001,TA0005 - TA0006,N/A,N/A,Exploitation tool,https://github.com/charlesnathansmith/whatlicense,1,0,N/A,N/A,6,1,79,12,2024-04-09T05:30:56Z,2023-07-10T11:57:44Z
@@ -41933,8 +41933,8 @@ keyword,metadata_keyword_regex,metadata_keyword_type,metadata_tool,metadata_desc
 *findstr *password*,".{0,1000}findstr\s.{0,1000}password.{0,1000}",offensive_tool_keyword,findstr,findstr used to find credentials,T1003 - T1057 - T1070 - T1082 - T1552,TA0001 - TA0002 - TA0005 - TA0007 - TA0011,N/A,N/A,Credential Access,N/A,1,0,N/A,N/A,6,10,N/A,N/A,N/A,N/A
 *findstr *vnc.ini*,".{0,1000}findstr\s.{0,1000}vnc\.ini.{0,1000}",greyware_tool_keyword,findstr,linux commands abused by attackers,T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136,TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002,N/A,N/A,Credential Access,N/A,1,0,N/A,greyware_tools high risks of false positives,6,10,N/A,N/A,N/A,N/A
 *findstr /S /I cpassword *\policies\*.xml*,".{0,1000}findstr\s\/S\s\/I\scpassword\s.{0,1000}\\policies\\.{0,1000}\.xml.{0,1000}",offensive_tool_keyword,findstr,findstr used to find credentials,T1003 - T1057 - T1070 - T1082 - T1552,TA0001 - TA0002 - TA0005 - TA0007 - TA0011,N/A,N/A,Credential Access,N/A,1,0,N/A,N/A,6,10,N/A,N/A,N/A,N/A
-*findstr /S cpassword $env:*\sysvol\*.xml*,".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}",greyware_tool_keyword,findstr ,"Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files",T1003.008 - T1552.001,TA0006 - TA0009,N/A,N/A,Credential Access,N/A,1,0,N/A,N/A,10,10,N/A,N/A,N/A,N/A
-*findstr /S cpassword %*%\sysvol\*.xml*,".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}",greyware_tool_keyword,findstr ,"Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files",T1003.008 - T1552.001,TA0006 - TA0009,N/A,N/A,Credential Access,N/A,1,0,N/A,N/A,10,10,N/A,N/A,N/A,N/A
+*findstr /S cpassword $env:*\sysvol\*.xml*,".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}",greyware_tool_keyword,findstr,"Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files",T1003.008 - T1552.001,TA0006 - TA0009,N/A,N/A,Credential Access,N/A,1,0,N/A,N/A,10,10,N/A,N/A,N/A,N/A
+*findstr /S cpassword %*%\sysvol\*.xml*,".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}",greyware_tool_keyword,findstr,"Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files",T1003.008 - T1552.001,TA0006 - TA0009,N/A,N/A,Credential Access,N/A,1,0,N/A,N/A,10,10,N/A,N/A,N/A,N/A
 *findstr /si secret *.docx*,".{0,1000}findstr\s\/si\ssecret\s.{0,1000}\.docx.{0,1000}",greyware_tool_keyword,findstr,linux commands abused by attackers,T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136,TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002,N/A,N/A,Credential Access,N/A,1,0,N/A,greyware_tools high risks of false positives,6,10,N/A,N/A,N/A,N/A
 *findstr lsass*,".{0,1000}findstr\slsass.{0,1000}",offensive_tool_keyword,findstr,findstr used to find lsass pid in order to dump lsass process,T1003 - T1057 - T1070 - T1082 - T1552,TA0001 - TA0002 - TA0005 - TA0007 - TA0011,N/A,N/A,Credential Access,https://github.com/gabriellandau/PPLFault,1,0,N/A,N/A,N/A,6,510,82,2024-02-22T17:23:53Z,2022-09-22T19:39:24Z
 *findstr.exe Tvndrgaaa*,".{0,1000}findstr\.exe\sTvndrgaaa.{0,1000}",offensive_tool_keyword,Earth Lusca Operations Tools,Earth Lusca Operations Tools and commands,T1548.002 - T1098.004 - T1583.001 - T1583.004 - T1583.006 - T1595.002 - T1560.001 - T1547.012 - T1059.001 - T1059.005 - T1059.006 - T1059.007 - T1584.004 - T1584.006 - T1543.003 - T1140 - T1482 - T1189 - T1567.002 - T1190 - T1210 - T1574.002 - T1036.005 - T1112 - T1027 - T1027.003 - T1588.001 - T1588.002 - T1003.001 - T1003.006 - T1566.002 - T1057 - T1090 - T1018 - T1053 - T1608.001 - T1218.005 - T1016 - T1053 - T1049 - T1033 - T1016 - T1049 - T1016 - T1218.001 - T1016 - T1049 - T1033 - T1007 - T1218.005,TA0001 - TA0002 - TA0003,cobaltstrike - mimikatz - powersploit - shadowpad - winnti,Earth Lusca,Exploitation tool,https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf,1,0,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A
@@ -58470,7 +58470,7 @@ keyword,metadata_keyword_regex,metadata_keyword_type,metadata_tool,metadata_desc
 *verovaleros/domain_analyzer*,".{0,1000}verovaleros\/domain_analyzer.{0,1000}",offensive_tool_keyword,domain_analyzer,Analyze the security of any domain by finding all the information possible,T1560 - T1590 - T1200 - T1213 - T1057,TA0002 - TA0009,N/A,N/A,Reconnaissance,https://github.com/eldraco/domain_analyzer,1,1,N/A,N/A,6,10,1847,240,2022-12-29T10:57:33Z,2017-08-08T18:52:34Z
 *vh.4everproxy.com/secure/*,".{0,1000}vh\.4everproxy\.com\/secure\/.{0,1000}",offensive_tool_keyword,4everproxy,proxy software that enables access to Tor Hidden Services by mean of common web browsers,T1090 - T1071,TA0001 - TA0005,N/A,N/A,Defense Evasion,https://www.4everproxy.com/,1,1,N/A,this pattern could be observed in any proxyfied site,6,10,N/A,N/A,N/A,N/A
 *victim_host_generator.py*,".{0,1000}victim_host_generator\.py.{0,1000}",offensive_tool_keyword,monkey,Infection Monkey - An automated pentest tool,T1078 - T1135 - T1046 - T1087 - T1105,TA0007 - TA0008 - TA0001 - TA0011,N/A,N/A,Exploitation tool,https://github.com/guardicore/monkey,1,1,N/A,N/A,N/A,10,6692,788,2024-11-12T21:39:26Z,2015-08-30T07:22:51Z
-*VID_03EB&PID_2403*,".{0,1000}VID_03EB\&PID_2403\s.{0,1000}",offensive_tool_keyword,Hak5 Rubber Ducky,keystroke injection tool	,T1021 - T1056.001 - T1060 - T1573 - T1573.002,TA0002 - TA0007 - TA0044,N/A,N/A,Hardware,https://github.com/greghanley/ducky-decode-wiki/blob/master/Guide_Change_USB_VID_PID.wiki,1,0,#deviceid,can appear in windows eventid 6416,10,1,2,0,2015-03-15T02:45:33Z,2015-03-15T02:45:31Z
+*VID_03EB&PID_2403*,".{0,1000}VID_03EB\&PID_2403\s.{0,1000}",offensive_tool_keyword,Hak5 Rubber Ducky,"keystroke injection tool	",T1021 - T1056.001 - T1060 - T1573 - T1573.002,TA0002 - TA0007 - TA0044,N/A,N/A,Hardware,https://github.com/greghanley/ducky-decode-wiki/blob/master/Guide_Change_USB_VID_PID.wiki,1,0,#deviceid,can appear in windows eventid 6416,10,1,2,0,2015-03-15T02:45:33Z,2015-03-15T02:45:31Z
 *VID_0483&PID_5740*,".{0,1000}VID_0483\&PID_5740.{0,1000}",offensive_tool_keyword,FlipperZero,Flipper ZeroFlipper Zero is a portable multi-tool for pentesters and geeks in a toy-like body,T1021 - T1056.001 - T1060 - T1573 - T1573.002,TA0002 - TA0007 - TA0044,N/A,N/A,Hardware,https://docs.flipper.net/qflipper/windows-debug,1,0,#deviceid,can appear in windows eventid 6416,10,10,N/A,N/A,N/A,N/A
 *viewdns-get-rootdomains-ip-ns *,".{0,1000}viewdns\-get\-rootdomains\-ip\-ns\s.{0,1000}",offensive_tool_keyword,thoth,Automate recon for red team assessments.,T1190 - T1083 - T1018,TA0007 - TA0043 - TA0001,N/A,N/A,Reconnaissance,https://github.com/r1cksec/thoth,1,0,N/A,N/A,7,1,93,10,2024-09-04T08:36:01Z,2021-11-15T13:40:56Z
 *viewdns-get-rootdomains-whois *,".{0,1000}viewdns\-get\-rootdomains\-whois\s.{0,1000}",offensive_tool_keyword,thoth,Automate recon for red team assessments.,T1190 - T1083 - T1018,TA0007 - TA0043 - TA0001,N/A,N/A,Reconnaissance,https://github.com/r1cksec/thoth,1,0,N/A,N/A,7,1,93,10,2024-09-04T08:36:01Z,2021-11-15T13:40:56Z
diff --git a/tools/D-F/findstr.csv b/tools/D-F/findstr.csv
index 82d0f5d69..35e2775c4 100644
--- a/tools/D-F/findstr.csv
+++ b/tools/D-F/findstr.csv
@@ -6,5 +6,7 @@
 "*findstr *password*",".{0,1000}findstr\s.{0,1000}password.{0,1000}","offensive_tool_keyword","findstr","findstr used to find credentials","T1003 - T1057 - T1070 - T1082 - T1552","TA0001 - TA0002 - TA0005 - TA0007 - TA0011","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A"
 "*findstr *vnc.ini*",".{0,1000}findstr\s.{0,1000}vnc\.ini.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
 "*findstr /S /I cpassword *\policies\*.xml*",".{0,1000}findstr\s\/S\s\/I\scpassword\s.{0,1000}\\policies\\.{0,1000}\.xml.{0,1000}","offensive_tool_keyword","findstr","findstr used to find credentials","T1003 - T1057 - T1070 - T1082 - T1552","TA0001 - TA0002 - TA0005 - TA0007 - TA0011","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A"
+"*findstr /S cpassword $env:*\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
+"*findstr /S cpassword %*%\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A"
 "*findstr /si secret *.docx*",".{0,1000}findstr\s\/si\ssecret\s.{0,1000}\.docx.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A"
 "*findstr lsass*",".{0,1000}findstr\slsass.{0,1000}","offensive_tool_keyword","findstr","findstr used to find lsass pid in order to dump lsass process","T1003 - T1057 - T1070 - T1082 - T1552","TA0001 - TA0002 - TA0005 - TA0007 - TA0011","N/A","N/A","Credential Access","https://github.com/gabriellandau/PPLFault","1","0","N/A","N/A","N/A","6","510","82","2024-02-22T17:23:53Z","2022-09-22T19:39:24Z"