{ "type": "bundle", "id": "bundle--68a512db-8fb1-427d-aa8f-9808005ee4fa", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.908078Z", "modified": "2026-06-14T11:53:54.908078Z", "name": "The Hunters Ledger", "identity_class": "organization" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e4467f4-7501-5720-9b3d-fdc2cada3f14", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.910405Z", "modified": "2026-06-14T11:53:54.910405Z", "name": "EncDec_ChaCha20_Constant", "indicator_types": [ "malicious-activity" ], "pattern": "rule EncDec_ChaCha20_Constant {\n meta:\n description = \"Detects enc/dec ransomware by ChaCha20 constant\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-18\"\n malware_family = \"enc/dec ransomware\"\n confidence = \"HIGH\"\n severity = \"CRITICAL\"\n reference = \"RFC 8439 ChaCha20 Constant\"\n\n strings:\n $chacha20_constant = \"expand 32-byte k\" ascii wide\n\n condition:\n uint16(0) == 0x5A4D and // PE file\n $chacha20_constant\n}", "pattern_type": "yara", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--eeda4351-acf8-5469-9507-473c57e5cd0d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.911335Z", "modified": "2026-06-14T11:53:54.911335Z", "name": "EncDec_VSS_Deletion_Signature", "indicator_types": [ "malicious-activity" ], "pattern": "rule EncDec_VSS_Deletion_Signature {\n meta:\n description = \"Detects enc/dec ransomware by unique VSS deletion string\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-18\"\n malware_family = \"enc/dec ransomware\"\n confidence = \"HIGH\"\n severity = \"CRITICAL\"\n\n strings:\n // Exact concatenated string found in enc_v2.exe and updated_enc.exe\n $vss_sig = \"vssadmindeleteshadows/all/quietwmicshadowcopy\" ascii wide\n\n condition:\n uint16(0) == 0x5A4D and // PE file\n $vss_sig\n}", "pattern_type": "yara", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b643e914-2423-5b28-ba39-c52e67362307", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.911528Z", "modified": "2026-06-14T11:53:54.911528Z", "name": "EncDec_Rust_Ransomware_Artifacts", "indicator_types": [ "malicious-activity" ], "pattern": "rule EncDec_Rust_Ransomware_Artifacts {\n meta:\n description = \"Detects enc/dec Rust ransomware by debug artifacts\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-18\"\n malware_family = \"enc/dec ransomware\"\n confidence = \"MEDIUM-HIGH\"\n severity = \"CRITICAL\"\n\n strings:\n $rust_debug1 = \"chacha20_pervictim.rs\" ascii wide\n $rust_debug2 = \"netusesrc/modules/disks.rs\" ascii wide\n $rust_debug3 = \"/aead-0.5.2/src/lib.rs\" ascii wide\n $rsa_key_marker = \"-----BEGIN PUBLIC KEY-----\" ascii wide\n $enc_message = \"[*] Using RSA+ChaCha20 encryption\" ascii wide\n $key_gen = \"[*] Generating unique encryption key\" ascii wide\n\n condition:\n uint16(0) == 0x5A4D and // PE file\n 2 of ($rust_debug*) or\n ($rsa_key_marker and ($enc_message or $key_gen))\n}", "pattern_type": "yara", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3d17f92a-3e54-55c8-b0d2-0fa2ff1c1b27", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.911679Z", "modified": "2026-06-14T11:53:54.911679Z", "name": "EncDec_AntiDebug_Signature", "indicator_types": [ "malicious-activity" ], "pattern": "rule EncDec_AntiDebug_Signature {\n meta:\n description = \"Detects anti-debug technique shared across enc/dec\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-18\"\n malware_family = \"enc/dec toolkit (all components)\"\n confidence = \"MEDIUM\"\n severity = \"HIGH\"\n reference = \"Shared across agent.exe, steal_browser.exe, enc/dec ransomware\"\n\n strings:\n // Pattern for stack base check + Sleep(1000) in x64 assembly\n // This is a heuristic - may need tuning for false positive reduction\n $sleep_1000 = { E8 ?? ?? ?? ?? 6A 00 68 E8 03 00 00 } // Sleep(0x3e8)\n\n condition:\n uint16(0) == 0x5A4D and // PE file\n $sleep_1000\n}", "pattern_type": "yara", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--12df68bb-1812-54bb-ab24-cce1c66d0317", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.911821Z", "modified": "2026-06-14T11:53:54.911821Z", "name": "EncDec_enc_dec_Family_Comprehensive", "indicator_types": [ "malicious-activity" ], "pattern": "rule EncDec_enc_dec_Family_Comprehensive {\n meta:\n description = \"Comprehensive detection for enc/dec ransomware family\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-18\"\n malware_family = \"enc/dec ransomware\"\n confidence = \"HIGH\"\n severity = \"CRITICAL\"\n\n strings:\n // Cryptographic indicators\n $crypto1 = \"expand 32-byte k\" ascii wide\n $crypto2 = \"-----BEGIN PUBLIC KEY-----\" ascii wide\n\n // System impact indicators\n $impact1 = \"vssadmin\" ascii wide nocase\n $impact2 = \"shadowcopy\" ascii wide nocase\n $impact3 = \"wmic\" ascii wide nocase\n\n // Rust artifacts\n $rust1 = \"chacha20\" ascii wide nocase\n $rust2 = \".rs\" ascii wide\n $rust3 = \"aead\" ascii wide\n\n // Operational strings\n $ops1 = \"README\" ascii wide nocase\n $ops2 = \"decrypt\" ascii wide nocase\n $ops3 = \"--pass\" ascii wide\n $ops4 = \"--file\" ascii wide\n $ops5 = \"--folder\" ascii wide\n\n condition:\n uint16(0) == 0x5A4D and // PE file\n (\n $crypto1 or // ChaCha20 constant (highest confidence)\n (\n $crypto2 and // RSA key\n 2 of ($impact*) and // VSS deletion\n 1 of ($rust*) // Rust implementation\n ) or\n (\n 3 of ($ops*) and // Decryptor operational strings\n 1 of ($rust*) // Rust implementation\n )\n )\n}", "pattern_type": "yara", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--47430a27-fbc8-55ea-9c8e-ee4541f9ca40", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.911971Z", "modified": "2026-06-14T11:53:54.911971Z", "name": "enc/dec Ransomware VSS Deletion Activity", "indicator_types": [ "malicious-activity" ], "pattern": "title: enc/dec Ransomware VSS Deletion Activity\nid: a1b2c3d4-e5f6-7890-abcd-ef1234567890\nstatus: stable\ndescription: Detects Volume Shadow Copy deletion commands consistent with enc/dec ransomware family\nreferences:\n - enc/dec ransomware technical analysis\nauthor: The Hunters Ledger\ndate: 2026/01/18\ntags:\n - attack.impact\n - attack.t1490\n - attack.inhibit_system_recovery\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_vssadmin:\n CommandLine|contains|all:\n - 'vssadmin'\n - 'delete'\n - 'shadows'\n - '/all'\n selection_wmic:\n CommandLine|contains|all:\n - 'wmic'\n - 'shadowcopy'\n - 'delete'\n condition: selection_vssadmin or selection_wmic\nfalsepositives:\n - Legitimate system maintenance (rare)\n - Backup software uninstallation\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--49fe08d6-ffab-57d2-a1db-7c7ea12af578", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.912122Z", "modified": "2026-06-14T11:53:54.912122Z", "name": "enc/dec Ransomware Multi-Drive Enumeration", "indicator_types": [ "malicious-activity" ], "pattern": "title: enc/dec Ransomware Multi-Drive Enumeration\nid: b2c3d4e5-f6a7-8901-bcde-f12345678901\nstatus: experimental\ndescription: Detects rapid sequential drive enumeration characteristic of enc/dec ransomware\nauthor: The Hunters Ledger\ndate: 2026/01/18\ntags:\n - attack.discovery\n - attack.t1083\nlogsource:\n category: file_event\n product: windows\ndetection:\n selection:\n TargetFilename|re: '^[A-Z]:\\\\.*'\n timeframe: 10s\n condition: selection | count(by Image) > 20 # 20+ drives accessed in 10 seconds\nfalsepositives:\n - Backup software\n - System inventory tools\n - Legitimate file search utilities\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7ddce2e7-6860-5242-8376-7f344c75fb27", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.912295Z", "modified": "2026-06-14T11:53:54.912295Z", "name": "enc/dec ChaCha20 Cryptographic Operations", "indicator_types": [ "malicious-activity" ], "pattern": "title: enc/dec ChaCha20 Cryptographic Operations\nid: c3d4e5f6-a7b8-9012-cdef-123456789012\nstatus: experimental\ndescription: Detects processes loading or executing ChaCha20 cryptographic operations\nauthor: The Hunters Ledger\ndate: 2026/01/18\ntags:\n - attack.impact\n - attack.t1486\nlogsource:\n category: process_access\n product: windows\ndetection:\n selection_strings:\n - Strings|contains: 'expand 32-byte k' # ChaCha20 constant\n - Strings|contains: 'chacha20'\n selection_memory:\n MemoryAllocation|gt: 100MB # Large memory allocations for file encryption\n CPUUsage|gt: 80 # High CPU during encryption\n condition: selection_strings and selection_memory\nfalsepositives:\n - Legitimate encryption software\n - VPN clients using ChaCha20\n - Secure messaging applications (Signal, Wire, etc.)\nlevel: medium", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--054c0e06-c852-5cd6-a888-35182889637e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.912464Z", "modified": "2026-06-14T11:53:54.912464Z", "name": "enc/dec Infrastructure Communication", "indicator_types": [ "malicious-activity" ], "pattern": "// Splunk SPL\nindex=network earliest=-30d\n| search dest_ip=\"109.230.231.37\" OR src_ip=\"109.230.231.37\"\n| stats count by src_ip, dest_ip, dest_port, _time\n| where count > 1\n\n// Microsoft Defender / Sentinel KQL\nNetworkCommunicationEvents\n| where Timestamp > ago(30d)\n| where RemoteIP == \"109.230.231.37\" or LocalIP == \"109.230.231.37\"\n| summarize Count=count() by DeviceName, RemoteIP, RemotePort, LocalIP\n| where Count > 1", "pattern_type": "kql", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6bce6d5d-c51f-5a49-80ea-4e252505545c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.912626Z", "modified": "2026-06-14T11:53:54.912626Z", "name": "Suspicious Rust Executable Execution", "indicator_types": [ "malicious-activity" ], "pattern": "// Splunk SPL\nindex=endpoint earliest=-7d EventCode=1\n| search (Image=\"*.exe\" AND (CommandLine=\"*--pass*\" OR CommandLine=\"*--folder*\"))\n| stats count by Image, CommandLine, User, ComputerName\n\n// Microsoft Defender / Sentinel KQL\nDeviceProcessEvents\n| where Timestamp > ago(7d)\n| where FileName endswith \".exe\"\n| where ProcessCommandLine contains \"--pass\" or ProcessCommandLine contains \"--folder\"\n| summarize Count=count() by FileName, ProcessCommandLine, AccountName, DeviceName", "pattern_type": "kql", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9809fbb0-e393-57ff-89e3-f124509f821a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.912773Z", "modified": "2026-06-14T11:53:54.912773Z", "name": "Volume Shadow Copy Deletion Events", "indicator_types": [ "malicious-activity" ], "pattern": "// Splunk SPL\nindex=endpoint earliest=-24h EventCode=1\n| search (Image=\"*vssadmin.exe\" AND CommandLine=\"*delete*shadows*\") OR (Image=\"*wmic.exe\" AND CommandLine=\"*shadowcopy*delete*\")\n| table _time, ComputerName, User, Image, CommandLine, ParentImage\n\n// Microsoft Defender / Sentinel KQL\nDeviceProcessEvents\n| where Timestamp > ago(24h)\n| where (FileName == \"vssadmin.exe\" and ProcessCommandLine contains \"delete\" and ProcessCommandLine contains \"shadows\")\n or (FileName == \"wmic.exe\" and ProcessCommandLine contains \"shadowcopy\" and ProcessCommandLine contains \"delete\")\n| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName", "pattern_type": "kql", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cb19756a-b3a4-5582-9c58-1d25d0364298", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.912921Z", "modified": "2026-06-14T11:53:54.912921Z", "name": "High-Volume File Modification Activity", "indicator_types": [ "malicious-activity" ], "pattern": "// Splunk SPL\nindex=endpoint earliest=-1h EventCode=4663\n| stats dc(ObjectName) as UniqueFiles by SubjectUserName, ProcessName\n| where UniqueFiles > 1000 # Modified 1000+ files in 1 hour\n\n// Microsoft Defender / Sentinel KQL\nDeviceFileEvents\n| where Timestamp > ago(1h)\n| where ActionType in (\"FileModified\", \"FileCreated\")\n| summarize UniqueFiles=dcount(FileName) by InitiatingProcessFileName, AccountName, DeviceName\n| where UniqueFiles > 1000 # Modified 1000+ files in 1 hour", "pattern_type": "kql", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--61e02a20-bebc-5910-ad70-4c3938ed9b4a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.91312Z", "modified": "2026-06-14T11:53:54.91312Z", "name": "ChaCha20 Constant in Process Memory", "indicator_types": [ "malicious-activity" ], "pattern": "// Using YARA scanning via EDR\nindex=endpoint earliest=-24h\n| search yara_rule=\"EncDec_ChaCha20_Constant\"\n| table _time, ComputerName, User, ProcessName, ProcessPath, yara_matches\n\n// Manual Memory Scanning\n// Tools: Volatility, Process Hacker, custom PowerShell script\n// Search process memory for string \"expand 32-byte k\"", "pattern_type": "kql", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--635e274c-edb1-5aa9-b3ce-c1ea2a93e6e7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.913358Z", "modified": "2026-06-14T11:53:54.913358Z", "name": "UAC Bypass via Fodhelper Registry Hijacking", "indicator_types": [ "malicious-activity" ], "pattern": "title: UAC Bypass via Fodhelper Registry Hijacking\nid: 9a2c5b8f-3d1e-4f5a-8c9b-1a2d3e4f5a6b\nstatus: stable\ndescription: Detects creation of registry keys associated with Fodhelper UAC bypass technique\nreferences:\n - https://attack.mitre.org/techniques/T1548/002/\n - https://github.com/hfiref0x/UACME\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\n - attack.defense_evasion\nlogsource:\n product: windows\n service: sysmon\n definition: 'Sysmon Event ID 13 (Registry Value Set)'\ndetection:\n selection:\n EventID: 13\n TargetObject|contains: '\\Software\\Classes\\ms-settings\\shell\\open\\command'\n filter_legitimate:\n Image|endswith:\n - '\\fodhelper.exe'\n - '\\SystemSettings.exe'\n condition: selection and not filter_legitimate\nfalsepositives:\n - Legitimate system administration or registry cleanup tools (extremely rare)\n - Windows Settings application legitimate use\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a0162d97-93c3-561c-9585-3073eb9a324d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.913615Z", "modified": "2026-06-14T11:53:54.913615Z", "name": "UAC Bypass via CMSTPLUA COM Interface Abuse", "indicator_types": [ "malicious-activity" ], "pattern": "title: UAC Bypass via CMSTPLUA COM Interface Abuse\nid: 7b3c6d9e-4f2a-5e8b-9c1d-2a3e4f5a6b7c\nstatus: experimental\ndescription: Detects process elevation via CMSTPLUA COM interface without UAC prompt\nreferences:\n - https://attack.mitre.org/techniques/T1548/002/\n - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nauthor: The Hunters Ledger\ndate: 2026/01/12\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\nlogsource:\n product: windows\n service: security\n definition: 'Windows Security Event ID 4688 (Process Creation)'\ndetection:\n selection_process:\n EventID: 4688\n ParentProcessName|endswith: '\\DllHost.exe'\n TokenElevationType: '%%1937' # High integrity level\n selection_clsid:\n CommandLine|contains: '{6EDD6D74-C007-4E75-B76A-E5740995E24C}'\n timeframe: 10s\n condition: selection_process or selection_clsid\nfalsepositives:\n - Legitimate COM-based elevation by trusted Windows components\n - Some Windows update processes\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--629ed18d-2bee-5f37-b14d-701564428277", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.91383Z", "modified": "2026-06-14T11:53:54.91383Z", "name": "Suspicious Privilege Escalation Without UAC Consent", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Privilege Escalation Without UAC Consent\nid: 1c2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6f\nstatus: stable\ndescription: Detects privilege escalation to High integrity level without corresponding UAC consent event\nreferences:\n - https://attack.mitre.org/techniques/T1548/002/\nauthor: The Hunters Ledger\ndate: 2026/01/12\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\nlogsource:\n product: windows\n service: security\ndetection:\n selection_elevation:\n EventID: 4672 # Special Privileges Assigned\n PrivilegeList|contains: 'SeDebugPrivilege'\n selection_no_consent:\n EventID: 4103 # UAC consent\n filter_system:\n SubjectUserName: 'SYSTEM'\n timeframe: 5s\n condition: selection_elevation and not selection_no_consent and not filter_system\nfalsepositives:\n - Scheduled tasks running with administrative privileges\n - System services launching with elevated privileges\n - Legitimate administrative tools\nlevel: medium", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8d0f9ae4-8724-5424-92a0-41faf1d8422a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.914072Z", "modified": "2026-06-14T11:53:54.914072Z", "name": "Suspicious Child Process Spawned by fodhelper.exe", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Child Process Spawned by fodhelper.exe\nid: 2a3b4c5d-6e7f-8a9b-0c1d-2e3f4a5b6c7d\nstatus: stable\ndescription: Detects fodhelper.exe spawning unexpected child processes (potential UAC bypass)\nreferences:\n - https://attack.mitre.org/techniques/T1548/002/\nauthor: The Hunters Ledger\ndate: 2026/01/12\ntags:\n - attack.privilege_escalation\n - attack.t1548.002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\\fodhelper.exe'\n filter_legitimate:\n Image|endswith:\n - '\\SystemSettings.exe'\n - '\\SettingsPageHost.exe'\n condition: selection and not filter_legitimate\nfalsepositives:\n - Windows Settings application launching legitimate components\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ba2317ba-7aa6-5262-bfed-f5c0a03a8848", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.914317Z", "modified": "2026-06-14T11:53:54.914317Z", "name": "Microsoft Defender for Endpoint (KQL)", "indicator_types": [ "malicious-activity" ], "pattern": "// Hunt for Fodhelper UAC bypass via registry hijacking\nDeviceRegistryEvents\n| where ActionType == \"RegistryValueSet\"\n| where RegistryKey has @\"Software\\Classes\\ms-settings\\shell\\open\\command\"\n| where InitiatingProcessFileName !in (\"fodhelper.exe\", \"SystemSettings.exe\")\n| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine\n| order by Timestamp desc", "pattern_type": "kql", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--079ae08b-524f-58d3-a692-c54187a4619c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.915365Z", "modified": "2026-06-14T11:53:54.915365Z", "name": "Splunk SPL", "indicator_types": [ "malicious-activity" ], "pattern": "index=windows (EventCode=4657 OR EventCode=13)\n| eval uac_bypass_fodhelper=if(like(TargetObject, \"%\\\\ms-settings\\\\shell\\\\open\\\\command%\") OR like(registry_path, \"%\\\\ms-settings\\\\shell\\\\open\\\\command%\"), \"Fodhelper Registry Hijack\", null())\n| where isnotnull(uac_bypass_fodhelper)\n| eval severity=\"HIGH\"\n| stats count by _time, host, user, uac_bypass_fodhelper, Image, TargetObject, Details\n| sort -_time", "pattern_type": "spl", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d08bddc6-7fef-54d7-b117-8268b1b89d57", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.915938Z", "modified": "2026-06-14T11:53:54.915938Z", "name": "Elastic Security (EQL)", "indicator_types": [ "malicious-activity" ], "pattern": "registry where\n registry.path : \"*\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command*\"\n and not process.name : (\"fodhelper.exe\", \"SystemSettings.exe\")", "pattern_type": "eql", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--021ca7fa-127d-548f-978f-93b0853b9362", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.916313Z", "modified": "2026-06-14T11:53:54.916313Z", "name": "CONNECTION to Known Malware Distribution IP 109.230.231.37", "indicator_types": [ "malicious-activity" ], "pattern": "alert ip any any -> 109.230.231.37 any (msg:\"CONNECTION to Known Malware Distribution IP 109.230.231.37\"; sid:1000001; rev:1;)\nalert ip 109.230.231.37 any -> any any (msg:\"CONNECTION from Known Malware Distribution IP 109.230.231.37\"; sid:1000002; rev:1;)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--82dfcb8c-2df6-5c68-9ce8-0d385852eac2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.916438Z", "modified": "2026-06-14T11:53:54.916438Z", "name": "FleetAgentFUD PowerShell Execution Policy Bypass from AppData", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentFUD PowerShell Execution Policy Bypass from AppData\nid: a1b2c3d4-fleetfud-powershell-bypass-001\nstatus: stable\ndescription: Detects PowerShell execution with Execution Policy bypass from suspicious AppData locations (FleetAgentFUD RAT pattern)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_powershell:\n Image|endswith: '\\powershell.exe'\n CommandLine|contains|all:\n - '-Exec'\n - 'Bypass'\n selection_parent:\n ParentImage|contains: '\\AppData\\'\n selection_hidden:\n CommandLine|contains:\n - '-W Hidden'\n - '-WindowStyle Hidden'\n condition: selection_powershell and selection_parent and selection_hidden\nfalsepositives:\n - Legitimate software installers using PowerShell from AppData (verify digital signature)\n - Administrative scripts executed from user directories (review context)\nlevel: high\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.defense_evasion\n - attack.t1562.001\n - fleetagentfud", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ae2a047d-2e61-5fc0-8d83-dd32a2b1cc37", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.916562Z", "modified": "2026-06-14T11:53:54.916562Z", "name": "FleetAgentFUD Clipboard Monitoring - Repeated Get-Clipboard Execution", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentFUD Clipboard Monitoring - Repeated Get-Clipboard Execution\nid: b2c3d4e5-fleetfud-clipboard-monitor-002\nstatus: stable\ndescription: Detects repeated PowerShell Get-Clipboard executions indicating clipboard data theft (FleetAgentFUD credential theft technique)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\nlogsource:\n product: windows\n category: ps_script\ndetection:\n selection:\n EventID: 4104\n ScriptBlockText|contains: 'Get-Clipboard'\n timeframe: 1h\n condition: selection | count(ComputerName, User) >= 10\nfalsepositives:\n - Legitimate clipboard management tools\n - User productivity automation scripts (verify legitimacy)\nlevel: critical\ntags:\n - attack.collection\n - attack.t1115\n - attack.credential_access\n - fleetagentfud", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ea8214d5-ca3c-528c-a8c6-0cbcf1e11de1", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.916688Z", "modified": "2026-06-14T11:53:54.916688Z", "name": "FleetAgentFUD WebSocket Connection from AppData .NET Executable", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentFUD WebSocket Connection from AppData .NET Executable\nid: c3d4e5f6-fleetfud-websocket-appdata-003\nstatus: experimental\ndescription: Detects WebSocket-like network connections from .NET executables in AppData (FleetAgentFUD C2 pattern)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection_image:\n Image|contains: '\\AppData\\'\n Image|endswith: '.exe'\n selection_port:\n DestinationPort:\n - 80\n - 443\n - 8080\n - 8443\n filter_signed:\n Signature: 'Microsoft Corporation'\n SignatureStatus: 'Valid'\n condition: selection_image and selection_port and not filter_signed\nfalsepositives:\n - Legitimate .NET applications in AppData (Microsoft Teams, Discord, Slack) - verify digital signature\n - Development/testing tools\nlevel: high\ntags:\n - attack.command_and_control\n - attack.t1071.001\n - fleetagentfud", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dff46164-3818-52a9-98ea-db785c4c21b4", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.916822Z", "modified": "2026-06-14T11:53:54.916822Z", "name": "FleetAgentFUD File Download to Suspicious Locations", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentFUD File Download to Suspicious Locations\nid: d4e5f6a7-fleetfud-file-download-004\nstatus: stable\ndescription: Detects executable file creation in Public/Temp folders from AppData processes (FleetAgentFUD payload download)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\nlogsource:\n product: windows\n category: file_event\ndetection:\n selection_file:\n EventID: 11\n TargetFilename|contains:\n - 'C:\\Users\\Public\\'\n - 'C:\\Windows\\Temp\\'\n TargetFilename|endswith:\n - '.exe'\n - '.dll'\n - '.scr'\n selection_process:\n Image|contains: '\\AppData\\'\n condition: selection_file and selection_process\nfalsepositives:\n - Software installers extracting temporary files\n - Update mechanisms using Public/Temp folders\nlevel: high\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.command_and_control\n - attack.t1105\n - fleetagentfud", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--21980451-499b-56d5-b850-31fe6fbc5586", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.916946Z", "modified": "2026-06-14T11:53:54.916946Z", "name": "FleetAgentFUD RWX Memory Allocation from .NET Executable", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentFUD RWX Memory Allocation from .NET Executable\nid: e5f6a7b8-fleetfud-virtualprotect-rwx-005\nstatus: experimental\ndescription: Detects VirtualProtect API calls with RWX permissions from .NET executables (shellcode execution indicator)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\nlogsource:\n product: windows\n category: api_call\ndetection:\n selection:\n CallTrace|contains: 'VirtualProtect'\n Protection: 'PAGE_EXECUTE_READWRITE'\n Image|contains: '\\AppData\\'\n filter_legitimate:\n Image|startswith:\n - 'C:\\Program Files\\'\n - 'C:\\Windows\\'\n condition: selection and not filter_legitimate\nfalsepositives:\n - .NET Just-In-Time (JIT) compilation (legitimate .NET Framework behavior)\n - Legitimate .NET applications using dynamic code generation\nlevel: high\ntags:\n - attack.defense_evasion\n - attack.t1055\n - fleetagentfud", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5811819b-8e77-52f8-9697-f551df4f2159", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.917068Z", "modified": "2026-06-14T11:53:54.917068Z", "name": "FleetAgentFUD Multi-Stage Attack Pattern Correlation", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentFUD Multi-Stage Attack Pattern Correlation\nid: f6a7b8c9-fleetfud-multistage-006\nstatus: experimental\ndescription: Correlates multiple FleetAgentFUD attack stages within short timeframe (high-confidence detection)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_stage1_process:\n Image|contains: '\\AppData\\'\n Image|endswith: '.exe'\n selection_stage2_network:\n EventID: 3\n DestinationPort: 443\n selection_stage3_powershell:\n EventID: 1\n Image|endswith: '\\powershell.exe'\n CommandLine|contains: '-Exec Bypass'\n timeframe: 5m\n condition: selection_stage1_process and selection_stage2_network and selection_stage3_powershell\nfalsepositives:\n - Complex legitimate software with network access and PowerShell usage\nlevel: critical\ntags:\n - attack.execution\n - attack.command_and_control\n - attack.collection\n - fleetagentfud", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--159e0f2f-a6b8-57d5-bc65-005685d5b8b7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.917193Z", "modified": "2026-06-14T11:53:54.917193Z", "name": "FleetAgentFUD Distribution Infrastructure Connection - CRITICAL", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> 109.230.231.37 any (msg:\"FleetAgentFUD Distribution Infrastructure Connection - CRITICAL\"; flow:established,to_server; reference:url,github.com/yourusername/threat-intel/fleetagentfud; classtype:trojan-activity; sid:2100020; rev:1; priority:1; metadata:created_at 2026_01_12, updated_at 2026_01_12, severity CRITICAL;)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f2a7bc71-273c-5fad-b652-f712e4d1eed9", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.91732Z", "modified": "2026-06-14T11:53:54.91732Z", "name": "Suspicious WebSocket Upgrade from Untrusted Process - Potential FleetAgentFUD C2", "indicator_types": [ "malicious-activity" ], "pattern": "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"Suspicious WebSocket Upgrade from Untrusted Process - Potential FleetAgentFUD C2\"; flow:established,to_server; content:\"Connection|3a 20|Upgrade\"; http_header; content:\"Sec-WebSocket-Key\"; http_header; content:\"Sec-WebSocket-Version|3a 20|13\"; http_header; reference:url,github.com/yourusername/threat-intel/fleetagentfud; classtype:trojan-activity; sid:2100021; rev:1; priority:2; metadata:created_at 2026_01_12, updated_at 2026_01_12, severity HIGH;)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3fa7f3d7-4a82-5b39-8872-2851ee117d06", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.917457Z", "modified": "2026-06-14T11:53:54.917457Z", "name": "FleetAgentFUD WebSocket Authentication Header - X-Agent-Secret Detected", "indicator_types": [ "malicious-activity" ], "pattern": "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"FleetAgentFUD WebSocket Authentication Header - X-Agent-Secret Detected\"; flow:established,to_server; content:\"X-Agent-Secret|3a 20|\"; http_header; reference:url,github.com/yourusername/threat-intel/fleetagentfud; classtype:trojan-activity; sid:2100022; rev:1; priority:1; metadata:created_at 2026_01_12, updated_at 2026_01_12, severity CRITICAL;)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--535a79a2-04b7-5a5b-bf2e-249cdf0f79d7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.917606Z", "modified": "2026-06-14T11:53:54.917606Z", "name": "Suspicious .NET WebClient User-Agent with WebSocket Upgrade - Potential FleetAgentFUD", "indicator_types": [ "malicious-activity" ], "pattern": "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"Suspicious .NET WebClient User-Agent with WebSocket Upgrade - Potential FleetAgentFUD\"; flow:established,to_server; content:\"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.2|3b| .NET CLR\"; http_header; content:\"Connection|3a 20|Upgrade\"; http_header; reference:url,github.com/yourusername/threat-intel/fleetagentfud; classtype:trojan-activity; sid:2100023; rev:1; priority:2; metadata:created_at 2026_01_12, updated_at 2026_01_12, severity HIGH;)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--083d4d9a-1dea-5d32-8775-bb6a0dadad50", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.917742Z", "modified": "2026-06-14T11:53:54.917742Z", "name": "Splunk SPL Queries", "indicator_types": [ "malicious-activity" ], "pattern": "index=windows (source=WinEventLog:Security OR source=WinEventLog:Microsoft-Windows-Sysmon/Operational OR source=WinEventLog:Microsoft-Windows-PowerShell/Operational)\n(\n (EventCode=1 Image=\"*\\\\powershell.exe\" CommandLine=\"*-Exec*Bypass*\" ParentImage=\"*\\\\AppData\\\\*\") OR\n (EventCode=4104 ScriptBlockText=\"Get-Clipboard\") OR\n (EventCode=3 Image=\"*\\\\AppData\\\\*\" DestinationPort=443) OR\n (EventCode=11 TargetFilename=\"C:\\\\Users\\\\Public\\\\*.exe\" Image=\"*\\\\AppData\\\\*\")\n)\n| bucket _time span=5m\n| stats count dc(EventCode) as EventTypes by _time, ComputerName, User\n| where EventTypes >= 2\n| eval Severity=\"CRITICAL\", ThreatName=\"FleetAgentFUD Multi-Stage Attack\", Recommendation=\"Immediate isolation and forensic analysis required\"\n| table _time, ComputerName, User, count, EventTypes, Severity, ThreatName, Recommendation", "pattern_type": "spl", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7e15bd8d-10be-544f-af7f-81ddde8b6081", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.918191Z", "modified": "2026-06-14T11:53:54.918191Z", "name": "Microsoft Defender ATP (KQL) Advanced Hunting", "indicator_types": [ "malicious-activity" ], "pattern": "// Hunt for FleetAgentFUD.exe indicators across multiple data sources\nlet TargetHash = \"072ce701ec0252eeddd6a0501555296bce512a7b90422addbb6d3619ae10f4ff\";\nunion\n // File Hash Match\n (DeviceFileEvents\n | where SHA256 == TargetHash\n | project Timestamp, DeviceName, FileName, FolderPath, FileSize, Severity = \"CRITICAL\", Indicator = \"File Hash Match\"),\n\n // PowerShell Bypass\n (DeviceProcessEvents\n | where FileName == \"powershell.exe\"\n | where ProcessCommandLine has_any (\"-Exec Bypass\", \"-ExecutionPolicy Bypass\", \"-W Hidden\")\n | where InitiatingProcessFolderPath has \"AppData\"\n | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, Severity = \"HIGH\", Indicator = \"PowerShell Bypass\"),\n\n // Clipboard Monitoring\n (DeviceProcessEvents\n | where FileName == \"powershell.exe\"\n | where ProcessCommandLine has \"Get-Clipboard\"\n | summarize ClipboardChecks = count() by DeviceName, bin(Timestamp, 1h), InitiatingProcessFileName\n | where ClipboardChecks >= 10\n | project Timestamp, DeviceName, InitiatingProcessFileName, ClipboardChecks, Severity = \"CRITICAL\", Indicator = \"Clipboard Monitoring\"),\n\n // WebSocket Network Activity\n (DeviceNetworkEvents\n | where InitiatingProcessFolderPath has \"AppData\"\n | where RemotePort in (80, 443, 8080, 8443)\n | where InitiatingProcessFileName endswith \".exe\"\n | project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, Severity = \"MEDIUM\", Indicator = \"Suspicious Network\"),\n\n // File Download to Suspicious Locations\n (DeviceFileEvents\n | where ActionType == \"FileCreated\"\n | where FolderPath has_any (\"C:\\\\Users\\\\Public\", \"C:\\\\Windows\\\\Temp\")\n | where FileName endswith \".exe\"\n | where InitiatingProcessFolderPath has \"AppData\"\n | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, Severity = \"HIGH\", Indicator = \"Payload Download\")\n| order by Timestamp desc", "pattern_type": "kusto", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0eaf7c14-b4ae-593a-80dd-f16ad0fd98a2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.918476Z", "modified": "2026-06-14T11:53:54.918476Z", "name": "EQL - PowerShell Bypass + Clipboard Monitoring Sequence", "indicator_types": [ "malicious-activity" ], "pattern": "sequence by host.name with maxspan=10m\n [process where process.name == \"powershell.exe\" and process.args like \"*-Exec*Bypass*\" and process.parent.path like \"*AppData*\"]\n [process where process.name == \"powershell.exe\" and process.args like \"*Get-Clipboard*\"]", "pattern_type": "eql", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d6084834-ae2a-5cab-b9e4-c3010fc51bf8", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.918604Z", "modified": "2026-06-14T11:53:54.918604Z", "name": "EQL - Network Connection + File Download Sequence", "indicator_types": [ "malicious-activity" ], "pattern": "sequence by host.name with maxspan=5m\n [network where process.path like \"*AppData*\" and destination.port in (80, 443)]\n [file where event.action == \"creation\" and file.path like \"*Public*\" and file.extension == \"exe\"]", "pattern_type": "eql", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--84599bde-6e1d-5d5b-95a7-aa79c9f0e6b7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.918741Z", "modified": "2026-06-14T11:53:54.918741Z", "name": "FleetAgentFUD Rapid System Reconnaissance Pattern", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentFUD Rapid System Reconnaissance Pattern\nid: a7b8c9d0-fleetfud-recon-sequence-007\nstatus: experimental\ndescription: Detects rapid-fire system reconnaissance commands (sysinfo, processes, network, users, disk) typical of FleetAgentFUD automated profiling\nauthor: The Hunters Ledger\ndate: 2026/01/12\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_powershell:\n Image|endswith: '\\powershell.exe'\n CommandLine|contains|any:\n - 'Get-WmiObject Win32_'\n - 'Get-Process'\n - 'Get-LocalUser'\n - 'ipconfig /all'\n - 'Win32_LogicalDisk'\n timeframe: 5m\n condition: selection_powershell | count(ComputerName) >= 3\nfalsepositives:\n - System administration scripts\n - IT inventory tools\nlevel: high\ntags:\n - attack.discovery\n - attack.t1082\n - attack.t1033\n - fleetagentfud", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9151604a-6eda-5b17-97f4-4ccfcaf00189", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.918885Z", "modified": "2026-06-14T11:53:54.918885Z", "name": "FleetAgentAdvanced Quad-Persistence Establishment", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentAdvanced Quad-Persistence Establishment\nid: a1b2c3d4-fleet-quad-persistence-001\nstatus: stable\ndescription: Detects FleetAgentAdvanced quad-persistence mechanism establishment pattern\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_schtasks:\n Image|endswith: '\\schtasks.exe'\n CommandLine|contains|all:\n - '/create'\n - '.NET Runtime Optimization'\n selection_registry:\n EventID: 13\n TargetObject|contains: 'Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n Details|contains: 'RuntimeOptimization.exe'\n selection_startup:\n EventID: 11\n TargetFilename|contains|all:\n - '\\Start Menu\\Programs\\Startup\\'\n - 'Runtime Optimization'\n - '.lnk'\n timeframe: 5s\n condition: 2 of selection_*\nfalsepositives:\n - Legitimate .NET Framework maintenance tasks (verify digital signature)\nlevel: high\ntags:\n - attack.persistence\n - attack.t1547.001\n - attack.t1053.005\n - fleetagentadvanced", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dd9f4a6c-143d-593b-94c6-1554324bd730", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.919026Z", "modified": "2026-06-14T11:53:54.919026Z", "name": "FleetAgentAdvanced Task.xml Deletion Anti-Forensics", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentAdvanced Task.xml Deletion Anti-Forensics\nid: b2c3d4e5-fleet-taskxml-deletion-002\nstatus: stable\ndescription: Detects task.xml deletion immediately after scheduled task creation (FleetAgentAdvanced anti-forensics signature)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\nlogsource:\n product: windows\n category: file_delete\ndetection:\n selection:\n TargetFilename|endswith: '\\task.xml'\n Image|contains: '.exe'\n filter_legitimate:\n Image|contains:\n - '\\System32\\'\n - '\\SysWOW64\\'\n condition: selection and not filter_legitimate\nfalsepositives:\n - Some legitimate installers may use similar patterns\nlevel: medium\ntags:\n - attack.defense_evasion\n - attack.t1070.004\n - fleetagentadvanced", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--89166cd2-1fb7-5cf8-8420-c463242d585e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.919167Z", "modified": "2026-06-14T11:53:54.919167Z", "name": "FleetAgentAdvanced RuntimeOptimization.exe Execution", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentAdvanced RuntimeOptimization.exe Execution\nid: c3d4e5f6-fleet-runtime-exec-003\nstatus: stable\ndescription: Detects execution of RuntimeOptimization.exe from AppData\\Microsoft\\CLR\\ directory\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n Image|contains|all:\n - '\\AppData\\Roaming\\Microsoft\\CLR\\'\n - 'RuntimeOptimization.exe'\n condition: selection\nfalsepositives:\n - None expected (legitimate .NET runtime optimization uses System32 paths)\nlevel: critical\ntags:\n - attack.execution\n - attack.t1204.002\n - fleetagentadvanced", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5eda9b62-41f7-5979-a60a-2066d0d38d8e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.919376Z", "modified": "2026-06-14T11:53:54.919376Z", "name": "FleetAgentAdvanced Microsoft .NET Masquerading Persistence", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentAdvanced Microsoft .NET Masquerading Persistence\nid: d4e5f6a7-fleet-dotnet-masq-004\nstatus: stable\ndescription: Detects persistence mechanisms using Microsoft .NET naming without valid Microsoft signatures\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\nlogsource:\n product: windows\n category: registry_set\ndetection:\n selection:\n TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\'\n Details|contains|all:\n - 'Microsoft'\n - '.NET'\n - 'Runtime'\n Details|contains:\n - '\\AppData\\'\n filter_signed:\n Signature: 'Microsoft Corporation'\n SignatureStatus: 'Valid'\n condition: selection and not filter_signed\nfalsepositives:\n - Unsigned .NET development tools (verify legitimacy)\nlevel: high\ntags:\n - attack.persistence\n - attack.defense_evasion\n - attack.t1547.001\n - attack.t1036.005\n - fleetagentadvanced", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e6f84f8e-db30-55ee-ae89-cfa9c9e41e69", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.91956Z", "modified": "2026-06-14T11:53:54.91956Z", "name": "FleetAgentAdvanced Process Injection from .NET Executable", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentAdvanced Process Injection from .NET Executable\nid: e5f6a7b8-fleet-injection-005\nstatus: experimental\ndescription: Detects process injection API sequences from .NET executables in AppData\nauthor: The Hunters Ledger\ndate: 2026/01/12\nmodified: 2026/01/12\nlogsource:\n product: windows\n category: api_call\ndetection:\n selection:\n Image|contains: '\\AppData\\'\n CallTrace|contains|all:\n - 'VirtualAllocEx'\n - 'WriteProcessMemory'\n - 'CreateRemoteThread'\n filter_legitimate:\n Image|contains:\n - '\\Program Files\\'\n - '\\Program Files (x86)\\'\n condition: selection and not filter_legitimate\nfalsepositives:\n - Legitimate development tools and debuggers from AppData\nlevel: high\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055\n - fleetagentadvanced", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e74fa495-3fcb-5855-b791-93fd06e2caf3", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.919709Z", "modified": "2026-06-14T11:53:54.919709Z", "name": "FleetAgentAdvanced Distribution Infrastructure Connection", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> 109.230.231.37 any (msg:\"FleetAgentAdvanced Distribution Infrastructure Connection\"; flow:established,to_server; reference:url,github.com/yourusername/threat-intel/fleetagentadvanced; classtype:trojan-activity; sid:2100010; rev:1; priority:1; metadata:created_at 2026_01_12, updated_at 2026_01_12, severity HIGH;)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4d9c5203-651f-50ba-aeef-e0ae8fbbf8b7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.919851Z", "modified": "2026-06-14T11:53:54.919851Z", "name": "Suspicious Encrypted Traffic from AppData Process - Potential FleetAgentAdvanced C2", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"Suspicious Encrypted Traffic from AppData Process - Potential FleetAgentAdvanced C2\"; flow:established,to_server; content:\"|17 03|\"; depth:2; offset:0; flowbits:set,encrypted.appdata; reference:url,github.com/yourusername/threat-intel/fleetagentadvanced; classtype:trojan-activity; sid:2100011; rev:1; priority:2; metadata:created_at 2026_01_12, updated_at 2026_01_12, severity MEDIUM;)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--17065a23-b8f0-58d8-9d61-9377faf616ad", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.920676Z", "modified": "2026-06-14T11:53:54.920676Z", "name": "EQL - Quad-Persistence Sequence Detection", "indicator_types": [ "malicious-activity" ], "pattern": "sequence by host.name with maxspan=5s\n [registry where registry.path like \"*CurrentVersion\\\\Run*\" and registry.data.strings like \"*RuntimeOptimization.exe*\"]\n [file where file.path like \"*Startup*\" and file.extension == \"lnk\"]\n [process where process.name == \"schtasks.exe\" and process.args like \"*/create*\"]", "pattern_type": "eql", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--737fc518-fef8-5ccf-bd8b-ba07322b2423", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.920809Z", "modified": "2026-06-14T11:53:54.920809Z", "name": "EQL - Task.xml Creation and Deletion Pattern", "indicator_types": [ "malicious-activity" ], "pattern": "sequence by host.name, process.entity_id with maxspan=2s\n [process where process.name == \"schtasks.exe\" and process.args like \"*/create*\"]\n [file where event.action == \"deletion\" and file.name == \"task.xml\"]", "pattern_type": "eql", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--64689a1b-8662-579a-affd-5cbaa6f1f211", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.920945Z", "modified": "2026-06-14T11:53:54.920945Z", "name": ".NET Dropper with Base64 Embedded Payload Execution", "indicator_types": [ "malicious-activity" ], "pattern": "title: .NET Dropper with Base64 Embedded Payload Execution\nid: f6a7b8c9-fleet-base64-payload-006\nstatus: experimental\ndescription: Detects .NET executables decoding Base64 payloads and writing to disk (FleetAgentAdvanced pattern)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nlogsource:\n product: windows\n category: api_call\ndetection:\n selection:\n CallTrace|contains|all:\n - 'FromBase64String'\n - 'WriteAllBytes'\n Image|contains: '.exe'\n filter_legitimate:\n Image|startswith:\n - 'C:\\Program Files\\'\n - 'C:\\Windows\\'\n condition: selection and not filter_legitimate\nfalsepositives:\n - Legitimate installers using Base64-encoded resources\nlevel: medium\ntags:\n - attack.defense_evasion\n - attack.t1027\n - fleetagentadvanced", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--40f18f46-997f-57ab-9c81-d7cc10b3bfc5", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.921094Z", "modified": "2026-06-14T11:53:54.921094Z", "name": "FleetAgentAdvanced RuntimeOptimization.exe File Creation", "indicator_types": [ "malicious-activity" ], "pattern": "title: FleetAgentAdvanced RuntimeOptimization.exe File Creation\nid: a7b8c9d0-fleet-file-creation-007\nstatus: stable\ndescription: Detects creation of RuntimeOptimization.exe file in AppData\\Microsoft\\CLR\\ directory\nauthor: The Hunters Ledger\ndate: 2026/01/12\nlogsource:\n product: windows\n category: file_event\ndetection:\n selection:\n EventID: 11 # File created\n TargetFilename|contains|all:\n - '\\AppData\\Roaming\\Microsoft\\CLR\\'\n - 'RuntimeOptimization.exe'\n condition: selection\nfalsepositives:\n - None expected (legitimate .NET components do not use this path)\nlevel: critical\ntags:\n - attack.execution\n - attack.t1204.002\n - fleetagentadvanced", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1ddff2a3-89e6-5ae5-a6d2-b2754c3a8fc6", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.921244Z", "modified": "2026-06-14T11:53:54.921244Z", "name": "XWorm RAT v2.4.0 WebSocket C2 Connection to Known Infrastructure", "indicator_types": [ "malicious-activity" ], "pattern": "title: XWorm RAT v2.4.0 WebSocket C2 Connection to Known Infrastructure\nid: f8e7e73b-f2b2-6635-800a-042e7890a35f\nstatus: stable\ndescription: Detects WebSocket connections to known XWorm v2.4.0 C2 server 109.230.231.37\nauthor: The Hunters Ledger\ndate: 2026/01/12\nreferences:\n - agent_xworm_v2.exe analysis report\n - Open Directory 109.230.231.37 investigation\ntags:\n - attack.command_and_control\n - attack.t1071.001\n - attack.t1132.001\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection:\n DestinationIp: '109.230.231.37'\n condition: selection\nfalsepositives:\n - None - IP is confirmed malicious infrastructure\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59786924-d4f9-58ad-94ff-dcc338dde3c9", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.921495Z", "modified": "2026-06-14T11:53:54.921495Z", "name": "Suspicious .NET Process with Hidden Console and WebSocket Activity", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious .NET Process with Hidden Console and WebSocket Activity\nid: 4164a194-5d83-7325-5a5c-b7e42f05c259\nstatus: experimental\ndescription: Detects .NET executables hiding console window while establishing WebSocket connections (XWorm v2.x behavior)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nreferences:\n - XWorm RAT v2.x behavioral analysis\ntags:\n - attack.defense_evasion\n - attack.t1564.003\n - attack.command_and_control\n - attack.t1071.001\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_dotnet:\n Image|endswith: '.exe'\n CommandLine|contains: 'v4.0.30319'\n selection_hidden:\n WindowStyle|contains:\n - 'Hidden'\n - 'SW_HIDE'\n - 'CreateNoWindow'\n selection_websocket:\n # Process establishing WebSocket connection\n NetworkConnection: true\n DestinationPort:\n - 80\n - 443\n - 8080\n condition: selection_dotnet and selection_hidden and selection_websocket\nfalsepositives:\n - Legitimate .NET applications with background WebSocket operations\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8fcc5368-f810-5d52-a283-50f41d661543", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.921739Z", "modified": "2026-06-14T11:53:54.921739Z", "name": "PowerShell Execution from .NET Process in User-Writable Directory", "indicator_types": [ "malicious-activity" ], "pattern": "title: PowerShell Execution from .NET Process in User-Writable Directory\nid: 7c624e0b-11c8-17d5-16f9-411972191c46\nstatus: experimental\ndescription: Detects PowerShell execution from .NET binaries in user-writable directories (XWorm execution pattern)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nreferences:\n - XWorm v2.x PowerShell execution capability\ntags:\n - attack.execution\n - attack.t1059.001\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_powershell:\n Image|endswith: 'powershell.exe'\n CommandLine|contains: '-NoP -C'\n selection_parent:\n ParentImage|contains:\n - '\\AppData\\'\n - '\\Temp\\'\n - '\\Users\\'\n ParentImage|endswith: '.exe'\n filter:\n ParentImage|contains:\n - 'Microsoft'\n - 'Visual Studio'\n condition: selection_powershell and selection_parent and not filter\nfalsepositives:\n - Legitimate development tools, software installers\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--33d63f30-b533-5499-be39-1fcb83bb92fe", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.921953Z", "modified": "2026-06-14T11:53:54.921953Z", "name": "XWorm RAT PowerShell Reconnaissance Command Sequence", "indicator_types": [ "malicious-activity" ], "pattern": "title: XWorm RAT PowerShell Reconnaissance Command Sequence\nid: f8e7e73b-f2b2-6635-800a-042e7890a35a\nstatus: experimental\ndescription: Detects rapid sequence of PowerShell reconnaissance commands typical of XWorm RAT\nauthor: The Hunters Ledger\ndate: 2026/01/12\ntags:\n - attack.discovery\n - attack.t1082\n - attack.t1057\n - attack.t1007\nlogsource:\n product: windows\n category: ps_script\n definition: 'Requirements: Script Block Logging (Event ID 4104)'\ndetection:\n selection:\n ScriptBlockText|contains:\n - 'Get-Process|Sort CPU'\n - 'Get-Service|?{$_.Status -eq'\n - 'Win32_ComputerSystem'\n timeframe: 60s\n condition: selection | count() >= 2\nfalsepositives:\n - System administration scripts, legitimate automation\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a96688aa-f8c0-55bf-b6f5-bbe916f232f6", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.923602Z", "modified": "2026-06-14T11:53:54.923602Z", "name": "MALWARE XWorm RAT v2.4.0 C2 Connection to 109.230.231.37", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> 109.230.231.37 any (\n msg:\"MALWARE XWorm RAT v2.4.0 C2 Connection to 109.230.231.37\";\n flow:to_server,established;\n reference:sha256,f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e;\n classtype:trojan-activity;\n sid:1000020;\n rev:1;\n)\n\nalert tcp 109.230.231.37 any -> $HOME_NET any (\n msg:\"MALWARE XWorm RAT v2.4.0 C2 Response from 109.230.231.37\";\n flow:to_client,established;\n reference:sha256,f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e;\n classtype:trojan-activity;\n sid:1000021;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b857f694-0760-5dd8-a009-32f9d39a32da", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.923735Z", "modified": "2026-06-14T11:53:54.923735Z", "name": "SUSPICIOUS WebSocket Upgrade from User Directory Process", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> any any (\n msg:\"SUSPICIOUS WebSocket Upgrade from User Directory Process\";\n flow:to_server,established;\n content:\"Upgrade|3a 20|websocket\"; http_header;\n content:\"GET\"; http_method;\n threshold:type both, track by_src, count 3, seconds 60;\n classtype:suspicious-traffic;\n sid:1000022;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c168957f-470b-5243-8795-6421a454d188", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.92389Z", "modified": "2026-06-14T11:53:54.92389Z", "name": "MALWARE XWorm AgentSec Authentication Secret Detected", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> any any (\n msg:\"MALWARE XWorm AgentSec Authentication Secret Detected\";\n flow:to_server,established;\n content:\"AgentSec_\"; nocase;\n pcre:\"/AgentSec_[0-9A-Za-z]{40,50}/i\";\n classtype:trojan-activity;\n sid:1000023;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--185bc2b3-ce6c-5a3e-b3e7-f6e3798e9303", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.92403Z", "modified": "2026-06-14T11:53:54.92403Z", "name": "SUSPICIOUS Base64 encoded WebSocket traffic from process", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> any any (\n msg:\"SUSPICIOUS Base64 encoded WebSocket traffic from process\";\n flow:to_server,established;\n content:\"|41 67 65 6e 74|\"; // \"Agent\" in hex\n content:\"WebSocket\"; nocase;\n pcre:\"/^[A-Za-z0-9+\\/]{20,}={0,2}$/\";\n threshold:type both, track by_src, count 5, seconds 60;\n classtype:suspicious-traffic;\n sid:1000024;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4d4e5253-1e4e-590e-9e4a-25d1930c6d60", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.924182Z", "modified": "2026-06-14T11:53:54.924182Z", "name": "Splunk Query for XWorm PowerShell Activity", "indicator_types": [ "malicious-activity" ], "pattern": "index=windows sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104\n| search (\n ScriptBlockText IN (\"*Get-Process|Sort CPU*\", \"*Get-Service|?{$_.Status*\", \"*Win32_ComputerSystem*\") OR\n ParentProcessName IN (\"*agent*.exe\", \"*xworm*.exe\") OR\n ScriptBlockText=\"*AgentSec_*\"\n)\n| table _time, Computer, ParentProcessName, ScriptBlockText, UserID\n| sort -_time", "pattern_type": "spl", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--779378bd-5c7e-53de-ad7d-077701bc5867", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.924477Z", "modified": "2026-06-14T11:53:54.924477Z", "name": "XWorm RAT C2 Connection to Known Infrastructure", "indicator_types": [ "malicious-activity" ], "pattern": "title: XWorm RAT C2 Connection to Known Infrastructure\nid: 0ec3fca5-8ef8-f0d9-f098-cd749dd209fc\nstatus: stable\ndescription: Detects network connections to known XWorm C2 server 109.230.231.37\nauthor: The Hunters Ledger\ndate: 2026/01/12\nreferences:\n - agent_xworm.exe analysis report\n - Open Directory 109.230.231.37 investigation\ntags:\n - attack.command_and_control\n - attack.t1071.001\n - attack.t1132.001\nlogsource:\n product: windows\n category: network_connection\ndetection:\n selection:\n DestinationIp: '109.230.231.37'\n condition: selection\nfalsepositives:\n - Unlikely - IP is confirmed malicious infrastructure\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--60cf5b17-ad98-5b91-8294-e7932c93eb36", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.92462Z", "modified": "2026-06-14T11:53:54.92462Z", "name": "Suspicious .NET Process with Hidden Console and Network Connection", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious .NET Process with Hidden Console and Network Connection\nid: 9d963f85-812f-d02e-382a-48c41fc0387e\nstatus: experimental\ndescription: Detects .NET executables hiding console window while establishing network connections (XWorm behavior)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nreferences:\n - XWorm RAT behavioral analysis\ntags:\n - attack.defense_evasion\n - attack.t1564.003\n - attack.command_and_control\n - attack.t1071.001\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_dotnet:\n Image|endswith: '.exe'\n CommandLine|contains: 'v4.0.30319'\n selection_hidden:\n # Process created with hidden window\n WindowStyle|contains:\n - 'Hidden'\n - 'SW_HIDE'\n selection_network:\n # Network connection from process\n NetworkConnection: true\n condition: selection_dotnet and selection_hidden and selection_network\nfalsepositives:\n - Legitimate .NET applications with background network operations\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f583a5db-5679-5608-b89d-b07a1d9a99ba", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.924752Z", "modified": "2026-06-14T11:53:54.924752Z", "name": "PowerShell Spawned by .NET Process from User Directory", "indicator_types": [ "malicious-activity" ], "pattern": "title: PowerShell Spawned by .NET Process from User Directory\nid: 01027829-5061-9820-bbcd-60efca256c90\nstatus: experimental\ndescription: Detects PowerShell execution from .NET binaries in user-writable directories (XWorm execution pattern)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nreferences:\n - XWorm PowerShell execution capability\ntags:\n - attack.execution\n - attack.t1059.001\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_powershell:\n Image|endswith: 'powershell.exe'\n CommandLine|contains: '-NoP -C'\n selection_parent:\n ParentImage|contains:\n - '\\AppData\\'\n - '\\Temp\\'\n - '\\Users\\'\n ParentImage|endswith: '.exe'\n filter:\n ParentImage|contains:\n - 'Microsoft'\n - 'Visual Studio'\n condition: selection_powershell and selection_parent and not filter\nfalsepositives:\n - Legitimate development tools, software installers\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--961db5fd-cbb4-55ce-bf3a-1263d3606d3b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.924885Z", "modified": "2026-06-14T11:53:54.924885Z", "name": "File Creation with XWorm Naming Pattern", "indicator_types": [ "malicious-activity" ], "pattern": "title: File Creation with XWorm Naming Pattern\nid: 0ec3fca5-8ef8-f0d9-f098-cd749dd209aa\nstatus: experimental\ndescription: Detects creation of files matching XWorm naming patterns (agent_xworm, XClient, etc.)\nauthor: The Hunters Ledger\ndate: 2026/01/12\ntags:\n - attack.persistence\n - attack.t1547.001\nlogsource:\n product: windows\n category: file_event\ndetection:\n selection:\n TargetFilename|contains:\n - 'xworm'\n - 'xclient'\n - 'agent_xworm'\n TargetFilename|endswith: '.exe'\n condition: selection\nfalsepositives:\n - Security research, malware analysis environments\nlevel: medium", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--77716fe9-1039-5029-ae32-221c0e105a3c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.926283Z", "modified": "2026-06-14T11:53:54.926283Z", "name": "MALWARE XWorm RAT C2 Connection to 109.230.231.37", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> 109.230.231.37 any (\n msg:\"MALWARE XWorm RAT C2 Connection to 109.230.231.37\";\n flow:to_server,established;\n reference:sha256,0ec3fca58ef8f0d9f098cd749dd209fccda7cbf68c1eecf836668e5dabd6f3bc;\n classtype:trojan-activity;\n sid:1000010;\n rev:1;\n)\n\nalert tcp 109.230.231.37 any -> $HOME_NET any (\n msg:\"MALWARE XWorm RAT C2 Response from 109.230.231.37\";\n flow:to_client,established;\n reference:sha256,0ec3fca58ef8f0d9f098cd749dd209fccda7cbf68c1eecf836668e5dabd6f3bc;\n classtype:trojan-activity;\n sid:1000011;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ca70109d-e44f-5454-bd36-bbfe8744a782", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.926428Z", "modified": "2026-06-14T11:53:54.926428Z", "name": "SUSPICIOUS Base64 encoded traffic from user directory process", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> any any (\n msg:\"SUSPICIOUS Base64 encoded traffic from user directory process\";\n flow:to_server,established;\n content:\"|41 67 65 6e 74|\"; // \"Agent\" in hex\n pcre:\"/^[A-Za-z0-9+\\/]{20,}={0,2}$/\";\n threshold:type both, track by_src, count 5, seconds 60;\n classtype:suspicious-traffic;\n sid:1000012;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--39481741-fe8e-583e-8a62-cddb6500766b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.926857Z", "modified": "2026-06-14T11:53:54.926857Z", "name": "Suspicious WinDefenderSvc.exe in Startup Folder", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious WinDefenderSvc.exe in Startup Folder\nid: e7f9a29d-de30-7aff-f419-1dbc14a97440\nstatus: experimental\ndescription: Detects creation of WinDefenderSvc.exe in user Startup folder (PoetRAT persistence)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nreferences:\n - agent.exe analysis report\n - Open Directory 109.230.231.37 investigation\ntags:\n - attack.persistence\n - attack.t1547.001\n - attack.defense_evasion\n - attack.t1036.005\nlogsource:\n product: windows\n category: file_event\ndetection:\n selection:\n TargetFilename|contains: '\\Start Menu\\Programs\\Startup\\WinDefenderSvc.exe'\n filter:\n # Exclude legitimate Windows Defender (signed by Microsoft)\n Signature: 'Microsoft Corporation'\n SignatureStatus: 'Valid'\n condition: selection and not filter\nfalsepositives:\n - Legitimate Windows Defender components (should be signed by Microsoft)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c557a2e9-8af7-5d47-9821-addc9d16de28", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.927025Z", "modified": "2026-06-14T11:53:54.927025Z", "name": "Suspicious Registry Run Key - WindowsDefenderUpdate", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Registry Run Key - WindowsDefenderUpdate\nid: 4e856041-0182-42c6-2b38-48d63b94c376\nstatus: experimental\ndescription: Detects creation of WindowsDefenderUpdate registry Run key (PoetRAT persistence)\nauthor: The Hunters Ledger\ndate: 2026/01/12\nreferences:\n - agent.exe analysis report\ntags:\n - attack.persistence\n - attack.t1547.001\n - attack.defense_evasion\n - attack.t1036.005\nlogsource:\n product: windows\n category: registry_set\ndetection:\n selection:\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsDefenderUpdate'\n filter:\n # Exclude if pointing to legitimate Microsoft-signed binary\n Details|contains: 'C:\\Program Files\\Windows Defender\\'\n condition: selection and not filter\nfalsepositives:\n - Legitimate Windows Defender update mechanisms (extremely rare)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--372f3862-d31b-5b86-b88f-64de5828ec0f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.927169Z", "modified": "2026-06-14T11:53:54.927169Z", "name": "Golang Executable Creating Persistence with Anti-Debug", "indicator_types": [ "malicious-activity" ], "pattern": "title: Golang Executable Creating Persistence with Anti-Debug\nid: b1d5e55b-1c15-b7cb-8391-38625d9d2efa\nstatus: experimental\ndescription: Detects Golang-compiled executable creating persistence and using anti-debugging\nauthor: The Hunters Ledger\ndate: 2026/01/12\nreferences:\n - agent.exe analysis report\ntags:\n - attack.persistence\n - attack.t1547.001\n - attack.defense_evasion\n - attack.t1622\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_golang:\n # Golang executables often have specific characteristics\n Image|contains:\n - 'go.exe'\n - 'runtime.main'\n selection_antidebug:\n CallTrace|contains:\n - 'NtQueryInformationProcess'\n - 'SetConsoleCtrlHandler'\n - 'IsDebuggerPresent'\n selection_persistence:\n CommandLine|contains:\n - '\\Startup\\'\n - 'CurrentVersion\\Run'\n - 'schtasks'\n condition: selection_golang and (selection_antidebug or selection_persistence)\nfalsepositives:\n - Legitimate Golang applications with anti-tampering protections\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f1f0d978-6f38-517b-b39d-a1e0eab008f8", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.927307Z", "modified": "2026-06-14T11:53:54.927307Z", "name": "PoetRAT Installation Marker File (.wd_installed)", "indicator_types": [ "malicious-activity" ], "pattern": "title: PoetRAT Installation Marker File (.wd_installed)\nid: 6b86b273-ff34-fce1-9d6b-804eff5a3f57\nstatus: experimental\ndescription: Detects creation of .wd_installed marker file indicating PoetRAT infection\nauthor: The Hunters Ledger\ndate: 2026/01/12\nreferences:\n - agent.exe analysis report\ntags:\n - attack.defense_evasion\n - attack.t1070.004\nlogsource:\n product: windows\n category: file_event\ndetection:\n selection:\n TargetFilename|contains: '\\.wd_installed'\n TargetFilename|contains: '\\AppData\\Local\\Temp\\'\n condition: selection\nfalsepositives:\n - Unlikely - very specific naming pattern\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2cc4999c-754e-53e2-b1a1-5c1db53c17e8", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.928503Z", "modified": "2026-06-14T11:53:54.928503Z", "name": "MALWARE PoetRAT agent.exe connection to distribution IP", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> 109.230.231.37 any (\n msg:\"MALWARE PoetRAT agent.exe connection to distribution IP\";\n flow:to_server,established;\n reference:sha256,e7f9a29dde307afff4191dbc14a974405f287b10f359a39305dccdc0ee949385;\n classtype:trojan-activity;\n sid:1000001;\n rev:1;\n)\n\nalert tcp 109.230.231.37 any -> $HOME_NET any (\n msg:\"MALWARE PoetRAT agent.exe inbound from distribution IP\";\n flow:to_client,established;\n reference:sha256,e7f9a29dde307afff4191dbc14a974405f287b10f359a39305dccdc0ee949385;\n classtype:trojan-activity;\n sid:1000002;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bbc3ab-5016-5279-85eb-bb25c0349774", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.928632Z", "modified": "2026-06-14T11:53:54.928632Z", "name": "SUSPICIOUS Golang executable encrypted C2 traffic pattern", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> any any (\n msg:\"SUSPICIOUS Golang executable encrypted C2 traffic pattern\";\n flow:to_server,established;\n content:\"Go\"; http_user_agent;\n threshold:type both, track by_src, count 10, seconds 60;\n classtype:suspicious-traffic;\n sid:1000003;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d96b83c7-e35b-5b65-9428-5528928706f5", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.928762Z", "modified": "2026-06-14T11:53:54.928762Z", "name": "Suspicious PowerShell Patterns (Splunk)", "indicator_types": [ "malicious-activity" ], "pattern": "# Splunk query for suspicious PowerShell from PoetRAT\nindex=windows sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104\n| search (\n ParentProcessName=\"*agent.exe\" OR\n ParentProcessName=\"*WinDefenderSvc.exe\" OR\n ScriptBlockText IN (\"*Invoke-WebRequest*\", \"*DownloadString*\", \"*IEX*\", \"*Invoke-Expression*\", \"*-EncodedCommand*\")\n)\n| table _time, Computer, ParentProcessName, ScriptBlockText, UserID\n| sort -_time", "pattern_type": "spl", "valid_from": "2026-01-12T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "report", "spec_version": "2.1", "id": "report--f7d6132b-1864-5856-bdc1-38468af72c7f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:53:54.92932Z", "modified": "2026-06-14T11:53:54.92932Z", "name": "Arsenal-237 R&D Repository \u2014 Executive Overview", "report_types": [ "threat-report" ], "published": "2026-01-12T00:00:00Z", "object_refs": [ "indicator--1e4467f4-7501-5720-9b3d-fdc2cada3f14", "indicator--eeda4351-acf8-5469-9507-473c57e5cd0d", "indicator--b643e914-2423-5b28-ba39-c52e67362307", "indicator--3d17f92a-3e54-55c8-b0d2-0fa2ff1c1b27", "indicator--12df68bb-1812-54bb-ab24-cce1c66d0317", "indicator--47430a27-fbc8-55ea-9c8e-ee4541f9ca40", "indicator--49fe08d6-ffab-57d2-a1db-7c7ea12af578", "indicator--7ddce2e7-6860-5242-8376-7f344c75fb27", "indicator--054c0e06-c852-5cd6-a888-35182889637e", "indicator--6bce6d5d-c51f-5a49-80ea-4e252505545c", "indicator--9809fbb0-e393-57ff-89e3-f124509f821a", "indicator--cb19756a-b3a4-5582-9c58-1d25d0364298", "indicator--61e02a20-bebc-5910-ad70-4c3938ed9b4a", "indicator--635e274c-edb1-5aa9-b3ce-c1ea2a93e6e7", "indicator--a0162d97-93c3-561c-9585-3073eb9a324d", "indicator--629ed18d-2bee-5f37-b14d-701564428277", "indicator--8d0f9ae4-8724-5424-92a0-41faf1d8422a", "indicator--ba2317ba-7aa6-5262-bfed-f5c0a03a8848", "indicator--079ae08b-524f-58d3-a692-c54187a4619c", "indicator--d08bddc6-7fef-54d7-b117-8268b1b89d57", "indicator--021ca7fa-127d-548f-978f-93b0853b9362", "indicator--82dfcb8c-2df6-5c68-9ce8-0d385852eac2", "indicator--ae2a047d-2e61-5fc0-8d83-dd32a2b1cc37", "indicator--ea8214d5-ca3c-528c-a8c6-0cbcf1e11de1", "indicator--dff46164-3818-52a9-98ea-db785c4c21b4", "indicator--21980451-499b-56d5-b850-31fe6fbc5586", "indicator--5811819b-8e77-52f8-9697-f551df4f2159", "indicator--159e0f2f-a6b8-57d5-bc65-005685d5b8b7", "indicator--f2a7bc71-273c-5fad-b652-f712e4d1eed9", "indicator--3fa7f3d7-4a82-5b39-8872-2851ee117d06", "indicator--535a79a2-04b7-5a5b-bf2e-249cdf0f79d7", "indicator--083d4d9a-1dea-5d32-8775-bb6a0dadad50", "indicator--7e15bd8d-10be-544f-af7f-81ddde8b6081", "indicator--0eaf7c14-b4ae-593a-80dd-f16ad0fd98a2", "indicator--d6084834-ae2a-5cab-b9e4-c3010fc51bf8", "indicator--84599bde-6e1d-5d5b-95a7-aa79c9f0e6b7", "indicator--9151604a-6eda-5b17-97f4-4ccfcaf00189", "indicator--dd9f4a6c-143d-593b-94c6-1554324bd730", "indicator--89166cd2-1fb7-5cf8-8420-c463242d585e", "indicator--5eda9b62-41f7-5979-a60a-2066d0d38d8e", "indicator--e6f84f8e-db30-55ee-ae89-cfa9c9e41e69", "indicator--e74fa495-3fcb-5855-b791-93fd06e2caf3", "indicator--4d9c5203-651f-50ba-aeef-e0ae8fbbf8b7", "indicator--17065a23-b8f0-58d8-9d61-9377faf616ad", "indicator--737fc518-fef8-5ccf-bd8b-ba07322b2423", "indicator--64689a1b-8662-579a-affd-5cbaa6f1f211", "indicator--40f18f46-997f-57ab-9c81-d7cc10b3bfc5", "indicator--1ddff2a3-89e6-5ae5-a6d2-b2754c3a8fc6", "indicator--59786924-d4f9-58ad-94ff-dcc338dde3c9", "indicator--8fcc5368-f810-5d52-a283-50f41d661543", "indicator--33d63f30-b533-5499-be39-1fcb83bb92fe", "indicator--a96688aa-f8c0-55bf-b6f5-bbe916f232f6", "indicator--b857f694-0760-5dd8-a009-32f9d39a32da", "indicator--c168957f-470b-5243-8795-6421a454d188", "indicator--185bc2b3-ce6c-5a3e-b3e7-f6e3798e9303", "indicator--4d4e5253-1e4e-590e-9e4a-25d1930c6d60", "indicator--779378bd-5c7e-53de-ad7d-077701bc5867", "indicator--60cf5b17-ad98-5b91-8294-e7932c93eb36", "indicator--f583a5db-5679-5608-b89d-b07a1d9a99ba", "indicator--961db5fd-cbb4-55ce-bf3a-1263d3606d3b", "indicator--77716fe9-1039-5029-ae32-221c0e105a3c", "indicator--ca70109d-e44f-5454-bd36-bbfe8744a782", "indicator--39481741-fe8e-583e-8a62-cddb6500766b", "indicator--c557a2e9-8af7-5d47-9821-addc9d16de28", "indicator--372f3862-d31b-5b86-b88f-64de5828ec0f", "indicator--f1f0d978-6f38-517b-b39d-a1e0eab008f8", "indicator--2cc4999c-754e-53e2-b1a1-5c1db53c17e8", "indicator--56bbc3ab-5016-5279-85eb-bb25c0349774", "indicator--d96b83c7-e35b-5b65-9428-5528928706f5" ], "labels": [ "Toolkit", "Ransomware", "RAT", "Rust", "Go" ], "external_references": [ { "source_name": "The Hunters Ledger", "url": "https://the-hunters-ledger.com/reports/109.230.231.37-Executive-Overview/" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] } ] }