signature-base/iocs/keywords.txt

# MALICIOUS KEYWORDS
#
# Subset of keywords from THOR APT Scanner

# Password Dumper
WCESERVICE
WCE_SERVICE
WCE SERVICE

# Mimikatz
eo.oe.kiwi
<3 eo.oe
mimilib
mimikatz
Mimikatz
privilege::debug
sekurlsa::LogonPasswords
sekurlsa::logonpasswords

# Metasploit
meterpreter
METERPRETER

# Metasploit PsExec
%COMSPEC% /C start %COMSPEC% /C \\WINDOWS\\Temp

# Malicious keywords
spoofing
keylogger
powersploit
passdumper
creddumper
credentialdumper
XScanPF

# Javascript Windows Scripting Host - Suspicious - see http://goo.gl/6HRCbk
wscript.exe /b /nologo /E:javascript

# Java Deserialisation Exploit Tools
yoserial-0.

# Powersploit
Powersploit

# Powershell Mimikatz https://adsecurity.org/?p=2604
Invoke-Mimikatz

# Don't remove this line
Keywords 2016-02-19 17:31:06 +00:00			`# MALICIOUS KEYWORDS`
			`#`
			`# Subset of keywords from THOR APT Scanner`

			`# Password Dumper`
			`WCESERVICE`
			`WCE_SERVICE`
			`WCE SERVICE`

			`# Mimikatz`
			`eo.oe.kiwi`
False Positive Reduction 2016-04-27 11:37:54 +00:00			`<3 eo.oe`
Keywords 2016-02-19 17:31:06 +00:00			`mimilib`
			`mimikatz`
			`Mimikatz`
			`privilege::debug`
			`sekurlsa::LogonPasswords`
			`sekurlsa::logonpasswords`

			`# Metasploit`
			`meterpreter`
			`METERPRETER`

			`# Metasploit PsExec`
			`%COMSPEC% /C start %COMSPEC% /C \\WINDOWS\\Temp`

			`# Malicious keywords`
			`spoofing`
			`keylogger`
			`powersploit`
			`passdumper`
			`creddumper`
			`credentialdumper`
			`XScanPF`

			`# Javascript Windows Scripting Host - Suspicious - see http://goo.gl/6HRCbk`
			`wscript.exe /b /nologo /E:javascript`

			`# Java Deserialisation Exploit Tools`
			`yoserial-0.`

			`# Powersploit`
			`Powersploit`

			`# Powershell Mimikatz https://adsecurity.org/?p=2604`
			`Invoke-Mimikatz`

			`# Don't remove this line`