forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathattacker_tools.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 27 should actually have 2 columns, instead of 3 in line 26.
27 lines (27 loc) · 3.43 KB
/
attacker_tools.csv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
attacker_tool_names,description
remcom.exe,This process is an open source replacement to psexec and is not typically seen in an enterprise environment.
pwdump.exe,This process is associated with a tool used to dump password hashes on a Windows system.
pwdump2.exe,This process is associated with a tool used to dump password hashes on a Windows system.
nc.exe,This process is an open source tool used for network communications.
wce.exe,This process is associated with a tool used to dump hashes and execute pass-the-hash and pass-the-ticket attacks.
cain.exe,This process is associated with a tool used to collect user credentials and execute attacks.
nmap.exe,This process is an open source network mapping tool used to identify hosts and listening services on a network.
kidlogger.exe,This process is associated with a tool used to collect keyboard input on a host.
isass.exe,This process name is used by attackers to hide in plain sight and look like a legitimate Windows system process.
svch0st.exe,This process name is used by attackers to hide in plain sight and look like a legitimate Windows system process.
at.exe,This process is used to schedule other processes to run. schtasks.exe should be used instead as it provides more flexibility.
getmail.exe,This process is seen to be used by attackers to extract email files from host machines.
ntdll.exe,This process was identified as malicious by DHS Alert TA18-074A.
netpass.exe,This process was identified as malicious by DHS Alert TA18-201A and attackers use this tool to recover all network passwords stored on your system for the current logged-on user.
WebBrowserPassView.exe,This process was identified as malicious by DHS Alert TA18-201A and is used by attackers as a password recovery tool that reveals the passwords stored in Web Browsers.
OutlookAddressBookView.exe,This process was identified as malicious by DHS Alert TA18-201A and is used by attackers to steal the details of all recipients stored in the address books of Microsoft Outlook.
mailpv.exe,This process was identified by DHS Alert TA18-201A and attackers use this tool is a password-recovery tool that reveals the passwords and other account details from various email clients.
NLBrute.exe,A RDP brute force tool found in botnets for further expansion and and acquisition of targets. This process was identified in the SamSam Ransomware Campaign and attackers use this tool to brute force RDP instances with a range of commonly used passwords.
selfdel.exe,This executable was delivered in the SamSam Ransomware Campain and the attackers levereged this binary to delete its malicilous activities.
masscan.exe,This executable was delivered in the XMRig Crypto Miner
Massscan_GUI.exe,This executable was delivered in the XMRig Crypto Miner
KPortScan3.exe,This executable was delivered in the XMRig Crypto Miner and is commonly used by attackers to scan the internet
NLAChecker.exe,A scanner tool that checks for Windows hosts for Network Level Authentication. This tool allows attackers to detect Windows Servers with RDP without NLA enabled which facilitates the use of brute force non microsoft rdp tools or exploits
ns.exe,A commonly used tool used by attackers to scan and map file shares
SilverBullet.exe,Malware was discovered in our monitoring of honey pots that abuses this open source software for scanning and connecting to hosts.
kportscan3.exe, KPortScan 3.0 is a widely used port scanning tool on Hacking Forums, to perform network scanning on the internal networks.