{ "type": "bundle", "id": "bundle--3d0a6f37-0f3a-47af-8cb2-1fd04bdf0d63", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.197866Z", "modified": "2026-06-14T11:55:42.197866Z", "name": "The Hunters Ledger", "identity_class": "organization" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } }, { "type": "file", "spec_version": "2.1", "id": "file--aed218eb-1892-54b0-b0d8-bf7fdd269864", "hashes": { "SHA-256": "4d1fe7b54a0ce9ce2082c167b662ec138b890e3f305e67bdc13a5e9a24708518" } }, { "type": "file", "spec_version": "2.1", "id": "file--4808afb2-9fb4-551e-89e6-e1f8b9f11cf5", "hashes": { "SHA-256": "d73c4f127c5c0a7f9bf0f398e95dd55c7e8f6f6a5783c8cb314bd99c2d1c9802" } }, { "type": "file", "spec_version": "2.1", "id": "file--2dd75871-9b15-5a7e-b515-2f94534ca27c", "hashes": { "SHA-256": "92c4f4b7748f23d6dcd5af43595f34e4bb8e284a85d2c1647b189c1bb59a784a" } }, { "type": "file", "spec_version": "2.1", "id": "file--ba6bed9f-017c-5023-91e8-de00432f8faa", "hashes": { "SHA-256": "158f61b6d10ea2ce78769703a2ffbba9c08f0172e37013de960d9efe5e9fde14" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--81efbf05-e147-5696-b7f9-f0e7783e5912", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.200534Z", "modified": "2026-06-14T11:55:42.200534Z", "name": "Arsenal237_FullTestEnc_ExactHash", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_FullTestEnc_ExactHash {\n meta:\n description = \"Detects full_test_enc.exe by exact cryptographic hash\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-27\"\n malware_type = \"Ransomware\"\n threat_level = \"CRITICAL\"\n confidence = \"DEFINITE\"\n reference = \"Arsenal-237 Toolkit\"\n\n strings:\n // File hashes\n $sha256 = { 4d 1f e7 b5 4a 0c e9 ce 20 82 c1 67 b6 62 ec 13 8b 89 0e 3f 30 5e 67 bd c1 3a 5e 9a 24 70 85 18 }\n // Note: YARA hex patterns are for demonstration; use native hash matching in YARA 4.2+\n\n hashes:\n sha256 = \"4d1fe7b54a0ce9ce2082c167b662ec138b890e3f305e67bdc13a5e9a24708518\"\n sha1 = \"bc0788a36b6b839fc917be0577cd14e584c71fd8\"\n md5 = \"1fe8b9a14f9f8435c5fb5156bcbc174e\"\n\n condition:\n any of them\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--277bc6b4-a26e-5444-a782-9739cbf4cd02", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.200761Z", "modified": "2026-06-14T11:55:42.200761Z", "name": "Arsenal237_RustCrypto_ChaCha20_RSA", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_RustCrypto_ChaCha20_RSA {\n meta:\n description = \"Detects malware using Rust ChaCha20 + RSA cryptographic libraries\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-27\"\n malware_type = \"Ransomware\"\n threat_level = \"CRITICAL\"\n\n strings:\n // Rust crypto library paths (embedded in binary)\n $chacha20 = \"/chacha20-0.9.1/src/lib.rs\" ascii\n $rsa = \"/rsa-0.9.9/src/algorithms/\" ascii\n $aead = \"/aead-0.5.2/src/lib.rs\" ascii\n $cipher = \"/cipher-0.4.4/\" ascii\n $digest = \"/digest-0.10.7/\" ascii\n $rand = \"/rand-0.8.5/\" ascii\n\n condition:\n uint16(0) == 0x5A4D and // PE signature\n filesize > 10MB and\n 3 of them\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f03776ea-5f6f-5c10-961e-bb6cc69d94a2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.200906Z", "modified": "2026-06-14T11:55:42.200906Z", "name": "Arsenal237_Ransomware_Lockbox_Strings", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_Ransomware_Lockbox_Strings {\n meta:\n description = \"Detects ransom messaging and .lockbox file extension\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-27\"\n malware_type = \"Ransomware\"\n threat_level = \"CRITICAL\"\n confidence = \"HIGH\"\n\n strings:\n // Ransom-specific strings\n $ransom1 = \"YOUR FILES HAVE BEEN ENCRYPTED!\" ascii wide\n $ransom2 = \"Ransom ID:\" ascii wide\n $ransom3 = \"Ransom ID: \" ascii\n\n // File extension indicator\n $lockbox = \".lockbox\" ascii wide\n\n // Operational logging strings\n $log1 = \"[*] Encryptor starting...\" ascii\n $log2 = \"[*] Encrypting all drives...\" ascii\n $log3 = \"[+] Encryption complete!\" ascii\n\n condition:\n uint16(0) == 0x5A4D and\n filesize > 10MB and filesize < 20MB and\n (2 of ($ransom*) and $lockbox) or\n (all of ($log*))\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ac997c05-624f-5ef2-b131-dd8219f3dc05", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.201039Z", "modified": "2026-06-14T11:55:42.201039Z", "name": "Arsenal237_Rayon_AntiAnalysis", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_Rayon_AntiAnalysis {\n meta:\n description = \"Detects Rayon parallel processing library and anti-analysis techniques\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-27\"\n malware_type = \"Ransomware\"\n\n strings:\n // Parallel processing\n $rayon = \"/rayon-1.11.0/src/\" ascii\n $walkdir = \"/walkdir-2.5.0/\" ascii\n\n // Anti-analysis indicators\n $sysinfo = \"/sysinfo-0.29.11/\" ascii\n $vm_detect = \"VMware\" ascii nocase\n $vbox_detect = \"VirtualBox\" ascii nocase\n\n // Error strings indicating encryption\n $encrypt_error1 = \"Failed to encrypt nonce\" ascii\n $encrypt_error2 = \"Failed to encrypt key\" ascii\n $encrypt_error3 = \"Block encryption failed\" ascii\n\n condition:\n uint16(0) == 0x5A4D and\n filesize > 10MB and\n (all of ($rayon, $walkdir, $sysinfo)) or\n (2 of ($vm_detect, $vbox_detect, $encrypt_error*))\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ed97a4da-45a8-5f90-9786-69bf740a90d7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.201166Z", "modified": "2026-06-14T11:55:42.201166Z", "name": "Arsenal237_NetworkShare_Enumeration", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_NetworkShare_Enumeration {\n meta:\n description = \"Detects malware performing network share enumeration\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-27\"\n malware_type = \"Ransomware\"\n\n strings:\n // Network share operations\n $netuse = \"net use\" ascii\n $unc_pattern = \"\\\\\\\\\" ascii // UNC path indicator\n $smb = \"SMB\" ascii nocase\n\n // Error string specific to net use execution\n $netuse_error = \"Failed to execute net use\" ascii\n\n // Folder targeting string\n $folder_option = \"--folder\" ascii\n\n condition:\n uint16(0) == 0x5A4D and\n filesize > 10MB and\n ($netuse or $netuse_error or $unc_pattern) and\n ($folder_option or \"C:\\\\Windows\\\\Temp\" ascii)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8c9ab8bb-4a8b-5624-8846-261360d3f358", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.201299Z", "modified": "2026-06-14T11:55:42.201299Z", "name": "Arsenal237_FullTestEnc_Comprehensive", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_FullTestEnc_Comprehensive {\n meta:\n description = \"Comprehensive detection combining multiple Arsenal-237 indicators\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-27\"\n malware_type = \"Ransomware\"\n threat_level = \"CRITICAL\"\n confidence = \"HIGH\"\n\n strings:\n // Crypto indicators (must have)\n $chacha = \"/chacha20-\" ascii\n $rsa_lib = \"/rsa-\" ascii\n\n // Ransom indicators (must have)\n $ransom = \"YOUR FILES HAVE BEEN ENCRYPTED!\" ascii wide\n\n // Performance/behavioral (must have at least 1)\n $rayon = \"/rayon-\" ascii\n $walkdir = \"/walkdir-\" ascii\n $sysinfo = \"/sysinfo-\" ascii\n\n // Extension (should have)\n $lockbox = \".lockbox\" ascii\n\n // Network (should have)\n $netuse = \"net use\" ascii\n\n condition:\n uint16(0) == 0x5A4D and\n filesize > 10MB and filesize < 20MB and\n $chacha and $rsa_lib and $ransom and\n (1 of ($rayon, $walkdir, $sysinfo)) and\n ($lockbox or $netuse or \"Ransom ID\" ascii)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ea5360b5-98be-51e0-877b-20fa56ec4fab", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.201427Z", "modified": "2026-06-14T11:55:42.201427Z", "name": "Arsenal-237 - Mass .lockbox File Creation", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 - Mass .lockbox File Creation\nid: arsenal-237-lockbox-creation-sigma\ndate: 2026-01-27\nmodified: 2026-01-27\nstatus: experimental\nlogsource:\n category: file_event\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename|endswith: '.lockbox'\n filter:\n Image|contains:\n - 'C:\\Program Files'\n - 'C:\\Program Files (x86)'\n - 'C:\\Windows\\System32'\n - 'C:\\Windows\\SysWOW64'\n timeframe: 1m\n condition: selection and not filter | count(TargetFilename) > 10\nfields:\n - EventID\n - TargetFilename\n - Image\n - User\n - Computer\nfalsepositives:\n - Legitimate backup software with custom extensions\n - Database backup processes\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--095f0bce-6a36-529b-96fa-d52bb9612921", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.201554Z", "modified": "2026-06-14T11:55:42.201554Z", "name": "Arsenal-237 - Unsigned Binary Executing net use", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 - Unsigned Binary Executing net use\nid: arsenal-237-netuse-unsigned-sigma\ndate: 2026-01-27\nlogsource:\n category: process_creation\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 1\n CommandLine|contains: 'net use'\n Image|notin:\n - 'C:\\Windows\\*'\n - 'C:\\Program Files*'\n SignedStatus|endswith: 'unsigned'\n filter_admin:\n User|contains: 'SYSTEM'\n ParentImage|endswith:\n - 'svchost.exe'\n - 'lsass.exe'\n condition: selection and not filter_admin\nfields:\n - EventID\n - CommandLine\n - Image\n - User\n - ParentImage\n - TargetObject\nfalsepositives:\n - Administrative tools\n - Batch scripts\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4140f0b8-2710-5324-9b05-e3778921834c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.201679Z", "modified": "2026-06-14T11:55:42.201679Z", "name": "Arsenal-237 - Parallel Multi-threaded File Operations", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 - Parallel Multi-threaded File Operations\nid: arsenal-237-parallel-writes-sigma\ndate: 2026-01-27\nlogsource:\n category: file_event\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n Image|notin:\n - 'C:\\Program Files*'\n - 'C:\\Windows\\*'\n filter_system:\n User: 'SYSTEM'\n aggregation:\n by:\n - Image\n - TargetFilename\n condition: selection and not filter_system | count() > 50 within 60s\nfields:\n - EventID\n - Image\n - TargetFilename\n - User\n - Computer\nfalsepositives:\n - Legitimate backup software\n - Database maintenance operations\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2e56c34c-cd35-528f-b395-f5e0791f63c5", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.201802Z", "modified": "2026-06-14T11:55:42.201802Z", "name": "Arsenal-237 - All Drives Enumeration (GetLogicalDrives)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 - All Drives Enumeration (GetLogicalDrives)\nid: arsenal-237-getlogicaldrives-sigma\ndate: 2026-01-27\nlogsource:\n category: file_event\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename|contains:\n - 'A:\\'\n - 'B:\\'\n - 'C:\\'\n - 'D:\\'\n - 'E:\\'\n Image|notin:\n - 'C:\\Windows\\*'\n - 'C:\\Program Files*'\n aggregation:\n by:\n - Image\n - User\n condition: selection | count(TargetFilename) > 10 within 60s\nfields:\n - EventID\n - Image\n - TargetFilename\n - User\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--febe47e7-0513-5a75-b535-d569b0fa7238", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.201953Z", "modified": "2026-06-14T11:55:42.201953Z", "name": "Arsenal-237 - Rust Cryptographic Libraries in Process Memory", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 - Rust Cryptographic Libraries in Process Memory\nid: arsenal-237-crypto-libs-sigma\ndate: 2026-01-27\nlogsource:\n category: image_load\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n ImageLoaded|contains:\n - 'chacha20'\n - 'rsa'\n - 'aead'\n - 'rayon'\n filter:\n Image|endswith:\n - '.exe'\n Signed: 'false'\n condition: selection and filter\nfields:\n - EventID\n - Image\n - ImageLoaded\n - ProcessId\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8adc0757-bd25-56ae-a75f-5487ab392c89", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.202091Z", "modified": "2026-06-14T11:55:42.202091Z", "name": "Detect .lockbox File Creation", "indicator_types": [ "malicious-activity" ], "pattern": "// Detect mass .lockbox file creation\nDeviceFileEvents\n| where FileName endswith \".lockbox\"\n| where ActionType == \"FileCreated\"\n| where InitiatingProcessFileName !in (\"System\", \"svchost.exe\", \"csrss.exe\", \"SearchIndexer.exe\")\n| where InitiatingProcessFileName !contains \"Windows\"\n| where InitiatingProcessFolderPath !startswith \"C:\\\\Windows\\\\\"\n| where InitiatingProcessFolderPath !startswith \"C:\\\\Program Files\"\n| summarize\n FileCount = dcount(FileName),\n FileList = make_set(FileName, 20),\n FirstSeen = min(Timestamp),\n LastSeen = max(Timestamp)\n by DeviceName, InitiatingProcessName, InitiatingProcessSHA256\n| where FileCount > 10\n| project TimeGenerated=LastSeen, DeviceName, InitiatingProcessName, FileCount, FileList", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8abf43de-4e5a-5553-9195-23be769e86a2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.202222Z", "modified": "2026-06-14T11:55:42.202222Z", "name": "Unsigned Binary Executing net use", "indicator_types": [ "malicious-activity" ], "pattern": "// Detect unsigned binary executing net use\nDeviceProcessEvents\n| where ProcessCommandLine contains \"net use\"\n| where SignerName == \"\" or SignerName == \"unsigned\"\n| where ProcessFileName !contains \"C:\\\\Windows\"\n| where ProcessFileName !contains \"C:\\\\Program Files\"\n| join kind=inner (\n DeviceFileEvents\n | where FileName == \"full_test_enc.exe\" or FileName contains \"test_enc\"\n ) on DeviceName\n| project TimeGenerated, DeviceName, ProcessCommandLine, ProcessFileName, ProcessSHA256\n| limit 100", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d414aa30-7964-5ae5-8627-32af1ee3fed8", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.202358Z", "modified": "2026-06-14T11:55:42.202358Z", "name": "Mass File Modifications in Short Timeframe", "indicator_types": [ "malicious-activity" ], "pattern": "// Detect rapid sequential file modifications (ransomware pattern)\nDeviceFileEvents\n| where ActionType == \"FileCreated\" or ActionType == \"FileModified\"\n| where InitiatingProcessFileName !contains \"Windows\"\n| where InitiatingProcessFileName !contains \"System\"\n| summarize\n FileCount = dcount(FileName),\n ProcessName = any(InitiatingProcessFileName),\n ProcessPath = any(InitiatingProcessFolderPath)\n by DeviceName, bin(Timestamp, 60s)\n| where FileCount > 100\n| project Timestamp, DeviceName, ProcessName, FileCount", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4198c984-88ac-573c-b540-bf891a489c64", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.20249Z", "modified": "2026-06-14T11:55:42.20249Z", "name": "Parallel WriteFile Operations Detection", "indicator_types": [ "malicious-activity" ], "pattern": "// Detect parallel multi-threaded file operations\nDeviceFileEvents\n| where ActionType == \"FileCreated\"\n| where InitiatingProcessFileName !contains \"System\"\n| where InitiatingProcessFileName !contains \"Windows\"\n| summarize\n FileCount = dcount(FileName),\n UniqueHashes = dcount(InitiatingProcessSHA256),\n TimeRange = max(Timestamp) - min(Timestamp)\n by DeviceName, InitiatingProcessName, bin(Timestamp, 10s)\n| where FileCount > 20 and TimeRange < 60s\n| project Timestamp, DeviceName, InitiatingProcessName, FileCount", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7a1b8061-5010-5c93-adde-834d6ea127b6", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.202616Z", "modified": "2026-06-14T11:55:42.202616Z", "name": "Search for Arsenal-237 File Hashes", "indicator_types": [ "malicious-activity" ], "pattern": "// Search for Arsenal-237 ransomware by known hashes\nDeviceFileEvents\n| where (SHA256 == \"4d1fe7b54a0ce9ce2082c167b662ec138b890e3f305e67bdc13a5e9a24708518\" or\n SHA1 == \"bc0788a36b6b839fc917be0577cd14e584c71fd8\" or\n MD5 == \"1fe8b9a14f9f8435c5fb5156bcbc174e\")\n| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, MD5\n| union (\n DeviceProcessEvents\n | where (SHA256 == \"4d1fe7b54a0ce9ce2082c167b662ec138b890e3f305e67bdc13a5e9a24708518\" or\n ProcessSHA256 == \"4d1fe7b54a0ce9ce2082c167b662ec138b890e3f305e67bdc13a5e9a24708518\")\n | project TimeGenerated, DeviceName, ProcessName, ProcessCommandLine, ProcessFolderPath\n )", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9947d139-f6ff-5bc5-a66e-5a0e0f380b8d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.202746Z", "modified": "2026-06-14T11:55:42.202746Z", "name": "Network Share Write Activity from Unsigned Binary", "indicator_types": [ "malicious-activity" ], "pattern": "// Detect unsigned binary writing to network shares\nDeviceFileEvents\n| where FileName endswith \".lockbox\"\n| where ActionType == \"FileCreated\" or ActionType == \"FileModified\"\n| where FolderPath startswith \"\\\\\\\\\" // UNC path indicator\n| where InitiatingProcessFileName !contains \"backup\"\n| where InitiatingProcessFileName !contains \"System\"\n| summarize\n FileCount = dcount(FileName),\n ShareList = make_set(FolderPath, 10)\n by DeviceName, InitiatingProcessName, InitiatingProcessSHA256\n| where FileCount > 5\n| project DeviceName, InitiatingProcessName, FileCount, ShareList", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f16009d3-f432-5146-818a-710446bf1883", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.20289Z", "modified": "2026-06-14T11:55:42.20289Z", "name": "VM/Debugger Evasion Attempts", "indicator_types": [ "malicious-activity" ], "pattern": "// Detect VM and debugger detection attempts\nDeviceEvents\n| where EventType == \"SetUnhandledExceptionFilter\" or\n EventType == \"AddVectoredExceptionHandler\" or\n EventType == \"QueryPerformanceCounter\" // Timing checks\n| where InitiatingProcessFileName !contains \"Windows\"\n| where InitiatingProcessFileName !contains \"System\"\n| join kind=inner (\n DeviceFileEvents\n | where FileName == \"full_test_enc.exe\"\n ) on DeviceName\n| project TimeGenerated, DeviceName, EventType, InitiatingProcessName", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9751a6ee-f394-5916-a097-14b753586261", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.203022Z", "modified": "2026-06-14T11:55:42.203022Z", "name": "Search 1: Detect .lockbox File Creation", "indicator_types": [ "malicious-activity" ], "pattern": "index=main source=sysmon EventCode=11 TargetFilename=\"*.lockbox\"\n| search NOT (Image=\"*\\\\System*\" OR Image=\"*\\\\Windows\\\\*\" OR Image=\"*\\\\Program Files*\")\n| stats count by host, Image, TargetFilename\n| where count > 10\n| table _time, host, Image, TargetFilename, count", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c31679c4-feec-5fc0-aa84-72252d745939", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.203149Z", "modified": "2026-06-14T11:55:42.203149Z", "name": "Search 2: Network Share Enumeration via net use", "indicator_types": [ "malicious-activity" ], "pattern": "index=main source=sysmon EventCode=1 CommandLine=\"*net use*\"\n| search NOT (Image=\"*\\\\Windows\\\\*\" OR Image=\"*\\\\System*\")\n| search Signed=false OR SignedStatus=Unsigned\n| table _time, host, CommandLine, Image, User, ParentImage", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--46455690-1d28-536b-89ec-338741750da4", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.203273Z", "modified": "2026-06-14T11:55:42.203273Z", "name": "Search 3: Rapid File Modifications", "indicator_types": [ "malicious-activity" ], "pattern": "index=main source=sysmon EventCode=11\n| search NOT (Image=\"*\\\\Windows\\\\*\" OR Image=\"*\\\\System*\")\n| stats count by host, Image, _time\n| where count > 50\n| alert", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--36b3e480-8252-5c0d-a6f0-0cccdd49c18e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.20341Z", "modified": "2026-06-14T11:55:42.20341Z", "name": "Search 4: Arsenal-237 Hash Detection", "indicator_types": [ "malicious-activity" ], "pattern": "index=main (\n SHA256=\"4d1fe7b54a0ce9ce2082c167b662ec138b890e3f305e67bdc13a5e9a24708518\" OR\n SHA1=\"bc0788a36b6b839fc917be0577cd14e584c71fd8\" OR\n MD5=\"1fe8b9a14f9f8435c5fb5156bcbc174e\"\n)\n| table _time, host, FileName, FilePath, SHA256, EventCode", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--11266e5d-f304-5418-b11f-62bc3441a81c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.203534Z", "modified": "2026-06-14T11:55:42.203534Z", "name": "Identify Rust Binaries with Cryptographic Libraries", "indicator_types": [ "malicious-activity" ], "pattern": "index=main source=sysmon EventCode=11\n| search (FileName=\"*chacha*\" OR FileName=\"*rsa*\")\n| stats values(Image) as processes by host\n| search processes=\"*.exe\" AND processes NOT \"*Windows*\"\n| table host, processes", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7d83f0-ef13-5b02-b9b1-480e6cdf25f4", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.203658Z", "modified": "2026-06-14T11:55:42.203658Z", "name": "Find All Binaries with .lockbox Extension Association", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceFileEvents\n| where FileName endswith \".lockbox\"\n| distinct InitiatingProcessName, InitiatingProcessSHA256, InitiatingProcessFolderPath\n| project ProcessName=InitiatingProcessName, ProcessHash=InitiatingProcessSHA256, ProcessPath=InitiatingProcessFolderPath", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c43c0474-3200-5a48-9f3f-06d86bdaf07e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.203781Z", "modified": "2026-06-14T11:55:42.203781Z", "name": "Identify Systems with Multiple Drive Access", "indicator_types": [ "malicious-activity" ], "pattern": "index=main source=sysmon EventCode=11\n| search FileName=\"*:\\\\\"\n| stats count as DriveAccessCount by Image, host\n| where DriveAccessCount > 3\n| table host, Image, DriveAccessCount", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1244c2c7-a430-51c4-b6ce-419cd77313cb", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.203905Z", "modified": "2026-06-14T11:55:42.203905Z", "name": "Timeline Reconstruction of Ransomware Activity", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceFileEvents\n| where FileName endswith \".lockbox\" or (ActionType == \"FileCreated\" and TargetFilename contains \"Ransom\")\n| order by Timestamp asc\n| extend Activity = case(\n FileName endswith \".lockbox\", \"File Encrypted\",\n ActionType == \"FileDeleted\", \"Original Deleted\",\n ActionType == \"FileModified\", \"File Modified\",\n \"Other\"\n )\n| project Timestamp, DeviceName, FileName, Activity, InitiatingProcessName", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a90690f-dfb0-5012-bdcb-2a08a766b26e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.204028Z", "modified": "2026-06-14T11:55:42.204028Z", "name": "Arsenal-237 SMB Share Enumeration Attempt", "indicator_types": [ "malicious-activity" ], "pattern": "alert smb $HOME_NET any -> $EXTERNAL_NET any (\n msg:\"Arsenal-237 SMB Share Enumeration Attempt\";\n flow:to_server,established;\n content:\"net use\";\n http_client_body;\n classtype:trojan-activity;\n sid:1000001;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--37ab8827-2c36-521e-9626-e25375ddd415", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.204155Z", "modified": "2026-06-14T11:55:42.204155Z", "name": "Ransomware RDP Lateral Movement", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> $HOME_NET 3389 (\n msg:\"Ransomware RDP Lateral Movement\";\n flow:to_server,established;\n content:\"RDP\";\n classtype:suspicious-login;\n sid:1000002;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--da3a4367-1454-556e-9d0a-bff3705c4d78", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.204301Z", "modified": "2026-06-14T11:55:42.204301Z", "name": "new_enc_exe_file_hash", "indicator_types": [ "malicious-activity" ], "pattern": "rule new_enc_exe_file_hash {\n meta:\n description = \"Detects new_enc.exe Arsenal-237 ransomware by file hash\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"CRITICAL\"\n malware_type = \"Ransomware\"\n family = \"Arsenal-237\"\n\n strings:\n $md5 = \"a16ba61114fa5a40afce54459bbff21e\" wide ascii\n $sha1 = \"2c01cefba27c4d3fcb3b450cb8e625e89bc54363\" wide ascii\n $sha256 = \"90d223b70448d68f7f48397df6a9e57de3a6b389d5d8dc0896be633ca95720f2\" wide ascii\n\n condition:\n any of them\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--19404932-6988-5419-be68-7ddbeebd71af", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.204426Z", "modified": "2026-06-14T11:55:42.204426Z", "name": "arsenal_237_chacha20_key", "indicator_types": [ "malicious-activity" ], "pattern": "rule arsenal_237_chacha20_key {\n meta:\n description = \"Detects Arsenal-237 hardcoded ChaCha20 encryption key\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"CRITICAL\"\n ioc_type = \"Cryptographic Material\"\n confidence = \"CONFIRMED\"\n\n strings:\n $key_hex = \"67e6096a85ae67bb72f36e3c3af54fa57f520e518c68059babd9831f19cde05b\" nocase wide ascii\n $key_pattern = \"67e60\" nocase // Partial match for speed\n\n condition:\n $key_hex or (all of ($key_pattern*))\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f3249512-0641-59ff-aab4-f51c96bac9c0", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.204547Z", "modified": "2026-06-14T11:55:42.204547Z", "name": "arsenal_237_campaign_identifiers", "indicator_types": [ "malicious-activity" ], "pattern": "rule arsenal_237_campaign_identifiers {\n meta:\n description = \"Detects Arsenal-237 campaign ID and version strings\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"CRITICAL\"\n ioc_type = \"Campaign Identifier\"\n\n strings:\n $campaign_id = \"ICIIXGD1X8ZJ4T1MTQ6TLQIDJEMDE7U4\" wide ascii\n $version = \"v0.5-beta\" wide ascii\n $ransom_task = \"RustRansomNoteTask\" wide ascii\n\n condition:\n any of them\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9045ea7c-feab-5e6b-a262-81a153393374", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.204668Z", "modified": "2026-06-14T11:55:42.204668Z", "name": "arsenal_237_veritas_targeting", "indicator_types": [ "malicious-activity" ], "pattern": "rule arsenal_237_veritas_targeting {\n meta:\n description = \"Detects service names targeting Veritas Backup Exec agents\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"CRITICAL\"\n ioc_type = \"Enterprise Targeting Indicator\"\n confidence = \"CONFIRMED\"\n\n strings:\n $gxvss = \"GxVss\" wide ascii\n $gxblr = \"GxBlr\" wide ascii\n $gxfwd = \"GxFWD\" wide ascii\n $gxcvd = \"GxCVD\" wide ascii\n $gxcimgr = \"GxCIMgr\" wide ascii\n $veeam = \"veeam\" wide ascii nocase\n\n condition:\n (3 of ($gx*)) or $veeam\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ad9c40a-c556-5b26-9808-aeece6b14f55", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.204792Z", "modified": "2026-06-14T11:55:42.204792Z", "name": "arsenal_237_antirecovery_commands", "indicator_types": [ "malicious-activity" ], "pattern": "rule arsenal_237_antirecovery_commands {\n meta:\n description = \"Detects VSS deletion and anti-recovery commands\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"CRITICAL\"\n ioc_type = \"Anti-Recovery Indicator\"\n\n strings:\n $vss_delete = \"vssadmin delete shadows /all /quiet\" wide ascii nocase\n $vss_pattern = \"vssadmin\" wide ascii nocase\n $delete_shadows = \"delete shadows\" wide ascii nocase\n\n condition:\n ($vss_delete) or ($vss_pattern and $delete_shadows)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--913f55f8-fe5c-5244-b2aa-793336e9064a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.204913Z", "modified": "2026-06-14T11:55:42.204913Z", "name": "arsenal_237_anti_analysis", "indicator_types": [ "malicious-activity" ], "pattern": "rule arsenal_237_anti_analysis {\n meta:\n description = \"Detects anti-analysis strings and VM detection indicators\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"HIGH\"\n ioc_type = \"Anti-Analysis Indicator\"\n\n strings:\n $vm_vbox = \"VBOX\" wide ascii nocase\n $vm_vmware = \"VMWARE\" wide ascii nocase\n $vm_qemu = \"QEMU\" wide ascii nocase\n $vm_xen = \"XEN\" wide ascii nocase\n $vm_hyperv = \"HYPERV\" wide ascii nocase\n $sandbox_cuckoo = \"cuckoo\" wide ascii nocase\n $sandbox_malware = \"malware\" wide ascii nocase\n $bios_registry = \"HARDWARE\\\\\\\\DESCRIPTION\\\\\\\\System\\\\\\\\BIOS\" wide ascii nocase\n $debugger_check = \"IsDebuggerPresent\" wide ascii\n\n condition:\n (3 of ($vm_*)) or (2 of ($sandbox_*)) or $bios_registry or $debugger_check\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cb87530-832f-5eb1-b2bd-d33f18777dc2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.205046Z", "modified": "2026-06-14T11:55:42.205046Z", "name": "arsenal_237_hex_ransom_note", "indicator_types": [ "malicious-activity" ], "pattern": "rule arsenal_237_hex_ransom_note {\n meta:\n description = \"Detects hex-encoded ransom note header\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"HIGH\"\n ioc_type = \"Ransom Note Indicator\"\n\n strings:\n $hex_header = \"76302e352d626574610d0a0d0a52616e736f6d2d4944\" wide ascii // v0.5-beta\\r\\n\\r\\nRansom-ID\n\n condition:\n $hex_header\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--76af637c-272e-5434-8ba3-96e71bb84ca4", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.205173Z", "modified": "2026-06-14T11:55:42.205173Z", "name": "arsenal_237_analysis_tool_strings", "indicator_types": [ "malicious-activity" ], "pattern": "rule arsenal_237_analysis_tool_strings {\n meta:\n description = \"Detects strings indicating analysis tool process monitoring\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"HIGH\"\n ioc_type = \"Anti-Analysis Tool Detection\"\n\n strings:\n $procmon = \"procmon\" wide ascii nocase\n $wireshark = \"wireshark\" wide ascii nocase\n $x64dbg = \"x64dbg\" wide ascii nocase\n $ida = \"ida\" wide ascii nocase\n $ghidra = \"ghidra\" wide ascii nocase\n $dnspy = \"dnspy\" wide ascii nocase\n $fiddler = \"fiddler\" wide ascii nocase\n $processhacker = \"processhacker\" wide ascii nocase\n\n condition:\n (5 of them)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e1aba0d2-b81a-57d0-8a8a-86898bba0521", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.205294Z", "modified": "2026-06-14T11:55:42.205294Z", "name": "arsenal_237_rust_implementation", "indicator_types": [ "malicious-activity" ], "pattern": "rule arsenal_237_rust_implementation {\n meta:\n description = \"Detects Rust-compiled ransomware characteristics\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"HIGH\"\n ioc_type = \"Family Classification\"\n\n strings:\n $chacha_const = \"Chacha_256_constant\" wide ascii\n $rust_std = \"core::panicking\" wide ascii\n $cargo = \"cargo\" wide ascii\n\n condition:\n (2 of them)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c547a7fa-69bb-5a77-a8b2-9b6c2a6fd83a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.205429Z", "modified": "2026-06-14T11:55:42.205429Z", "name": "Volume Shadow Copy Deletion - Ransomware Indicator", "indicator_types": [ "malicious-activity" ], "pattern": "title: Volume Shadow Copy Deletion - Ransomware Indicator\nid: 0d6cbe7c-6d5f-4b6e-9c2a-8c4b5d3e1f7a\ndescription: Detects execution of vssadmin delete shadows command used by ransomware\nstatus: test\ndate: 2026-01-26\nauthor: The Hunters Ledger\nreferences:\n - https://attack.mitre.org/techniques/T1490/\nlogsource:\n product: windows\n service: process_creation\ndetection:\n selection:\n CommandLine|contains|all:\n - 'vssadmin'\n - 'delete'\n - 'shadows'\n filter:\n CommandLine|contains:\n - 'VSSADMIN_DELETE_SHADOWS' # Legitimate admin activity\n condition: selection and not filter\nfalsepositives:\n - Legitimate administrative backup operations\nlevel: critical\ntags:\n - attack.impact\n - attack.t1490\n - ransomware\n - critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c0ce1f13-4e27-5256-9758-a1c3d04e423a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.205554Z", "modified": "2026-06-14T11:55:42.205554Z", "name": "Backup Service Termination - Multiple Services", "indicator_types": [ "malicious-activity" ], "pattern": "title: Backup Service Termination - Multiple Services\nid: 1e8c3d5a-2b7f-4a9c-b1e6-d3f5a8c2b4e7\ndescription: Detects mass termination of backup services (Veritas, Veeam, VSS)\nstatus: test\ndate: 2026-01-26\nauthor: The Hunters Ledger\nreferences:\n - https://attack.mitre.org/techniques/T1489/\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n EventID: 7000 # Service Control Manager\n ServiceName|in:\n - 'GxVss'\n - 'GxBlr'\n - 'GxFWD'\n - 'GxCVD'\n - 'GxCIMgr'\n - 'veeam'\n - 'vss'\n Status: 'stopped'\n timeframe: 5m\n condition: selection | count(ServiceName) > 2\nfalsepositives:\n - Legitimate service maintenance\n - Scheduled backup system restarts\nlevel: critical\ntags:\n - attack.impact\n - attack.t1489\n - ransomware\n - backup", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a140d97c-f133-5810-8855-908fbb481607", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.205682Z", "modified": "2026-06-14T11:55:42.205682Z", "name": "Scheduled Task Creation - RustRansomNoteTask", "indicator_types": [ "malicious-activity" ], "pattern": "title: Scheduled Task Creation - RustRansomNoteTask\nid: 3f7a9b2c-5e8d-4c1a-b6f3-7d2e5a8c1b9f\ndescription: Detects creation of RustRansomNoteTask scheduled task\nstatus: test\ndate: 2026-01-26\nauthor: The Hunters Ledger\nreferences:\n - https://attack.mitre.org/techniques/T1053.005/\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11 # Image/File created\n TargetFilename|contains: 'RustRansomNoteTask'\n condition: selection\nfalsepositives:\n - Legitimate system tasks with similar naming\nlevel: high\ntags:\n - attack.persistence\n - attack.t1053.005\n - ransomware", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b9b994bb-6dd5-542a-9af4-1a7566cd3363", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.205807Z", "modified": "2026-06-14T11:55:42.205807Z", "name": "Database Service Termination - Ransomware Pattern", "indicator_types": [ "malicious-activity" ], "pattern": "title: Database Service Termination - Ransomware Pattern\nid: 4b2d7e9a-1c5f-3a8b-6d4e-2f7c9a3b5e1d\ndescription: Detects termination of SQL Server and Oracle database services\nstatus: test\ndate: 2026-01-26\nauthor: The Hunters Ledger\nreferences:\n - https://attack.mitre.org/techniques/T1489/\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n EventID: 7000\n ServiceName|in:\n - 'sql'\n - 'oracle'\n - 'ocssd'\n - 'dbsnmp'\n - 'sqlservr'\n Status: 'stopped'\n timeframe: 10m\n condition: selection | count(ServiceName) > 1\nfalsepositives:\n - Legitimate database maintenance\n - Scheduled database restarts\nlevel: high\ntags:\n - attack.impact\n - attack.t1489\n - database\n - ransomware", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0640b6b5-85f0-59ce-9891-d1bc28d93ef4", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.20593Z", "modified": "2026-06-14T11:55:42.20593Z", "name": "KQL (Azure Sentinel / Microsoft Defender for Endpoint)", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceProcessEvents\n| where ProcessCommandLine contains (\"vssadmin\" and \"delete\") or ProcessCommandLine contains \"shadowcopy\"\n| where ProcessName != \"explorer.exe\" // Filter out false positives\n| project Timestamp, DeviceId, DeviceName, InitiatingProcessName, ProcessName, ProcessCommandLine, InitiatingProcessIntegrityLevel\n| order by Timestamp desc", "pattern_type": "kql", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e3603b8f-d0cc-5924-81af-665455c6b441", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.206551Z", "modified": "2026-06-14T11:55:42.206551Z", "name": "SPL (Splunk)", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:System OR sourcetype=XmlWinEventLog:System\n(CommandLine=\"vssadmin delete shadows*\" OR ProcessImage=\"*vssadmin.exe\" AND CommandLine=\"*delete*\" AND CommandLine=\"*shadows*\")\n| table _time, host, user, CommandLine, Image, ParentImage\n| stats count by host\n| where count > 0", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--aa8c7e42-5aba-5754-a004-30aea9353352", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.207166Z", "modified": "2026-06-14T11:55:42.207166Z", "name": "Arsenal-237 ChaCha20 Ransomware Encryption Pattern", "indicator_types": [ "malicious-activity" ], "pattern": "alert http any any -> any any (\n msg:\"Arsenal-237 ChaCha20 Ransomware Encryption Pattern\";\n content:\"ChaCha20\"; nocase;\n classtype:trojan-activity;\n sid:1000001;\n rev:1;\n priority:1;\n tag:ransomware,encryption;\n)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e409ab7e-d21e-554f-a6f6-44d84b960e4c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.207293Z", "modified": "2026-06-14T11:55:42.207293Z", "name": "Arsenal-237 Ransom Note Domain Query", "indicator_types": [ "malicious-activity" ], "pattern": "alert dns any any -> any 53 (\n msg:\"Arsenal-237 Ransom Note Domain Query\";\n dns_query; content:\"ICIIXGD1X8ZJ4T1MTQ6TLQIDJEMDE7U4\";\n nocase; classtype:trojan-activity;\n sid:1000002; rev:1; priority:2;\n)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--311fb4d0-dc50-57f3-9637-37ecbe61a6e4", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.207425Z", "modified": "2026-06-14T11:55:42.207425Z", "name": "Arsenal237_dec_fixed_exe", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_dec_fixed_exe\n{\n meta:\n description = \"Arsenal-237 dec_fixed.exe - Per-victim ransomware decryptor\"\n malware_family = \"Arsenal-237\"\n sample_type = \"Ransomware Recovery Tool\"\n severity = \"LOW\"\n confidence = \"CONFIRMED\"\n date_created = \"2026-01-26\"\n hash_type = \"SHA256\"\n\n strings:\n $hash1 = \"d73c4f127c5c0a7f9bf0f398e95dd55c7e8f6f6a5783c8cb314bd99c2d1c9802\" nocase\n\n condition:\n all of them\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--80ccf17e-636c-50b5-b94d-72cd8b57efa1", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.207548Z", "modified": "2026-06-14T11:55:42.207548Z", "name": "Arsenal237_Victim_Key_Decryptor", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_Victim_Key_Decryptor\n{\n meta:\n description = \"Arsenal-237 decryptor with victim-specific ChaCha20 key\"\n malware_family = \"Arsenal-237\"\n sample_type = \"Ransomware Recovery Tool (Per-Victim)\"\n severity = \"MEDIUM\"\n confidence = \"CONFIRMED\"\n date_created = \"2026-01-26\"\n\n strings:\n $key1 = \"1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba\" nocase\n $key2 = \"67e6096a85ae67bb72f36e3c3af54fa57f520e518c68059babd9831f19cde05b\" nocase\n\n condition:\n 1 of them\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--40ffd638-c529-5036-ae12-3dfdd11edc1e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.20767Z", "modified": "2026-06-14T11:55:42.20767Z", "name": "Arsenal237_ChaCha20_Decryption", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_ChaCha20_Decryption\n{\n meta:\n description = \"Arsenal-237 ChaCha20-Poly1305 AEAD decryption implementation\"\n malware_family = \"Arsenal-237\"\n cryptographic_algorithm = \"ChaCha20-Poly1305\"\n standard = \"RFC 7539\"\n severity = \"MEDIUM\"\n confidence = \"CONFIRMED\"\n date_created = \"2026-01-26\"\n\n strings:\n $constant1 = \"expand 32-byte k\" nocase\n $error1 = \"Decryption failed - wrong key or corrupted file\"\n $error2 = \"File corrupted - encrypted size mismatch\"\n\n condition:\n $constant1 and any of ($error*)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9cb67205-630f-5d62-ba9b-bf37e3523917", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.207791Z", "modified": "2026-06-14T11:55:42.207791Z", "name": "Arsenal237_Decryptor_Tool", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_Decryptor_Tool\n{\n meta:\n description = \"Arsenal-237 ransomware decryptor with directory traversal\"\n malware_family = \"Arsenal-237\"\n tool_type = \"Batch File Decryptor\"\n severity = \"LOW\"\n confidence = \"CONFIRMED\"\n date_created = \"2026-01-26\"\n\n strings:\n $cmd1 = \"--folder-a\"\n $error1 = \"File too small\"\n $error2 = \"Could not find filename\"\n $error3 = \"Invalid victim key hex\"\n $cleanup = \"readme.txt\"\n\n condition:\n $cmd1 and 2 of ($error*) and $cleanup\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--05121241-3bad-5472-89fd-7cebaa9e4438", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.20791Z", "modified": "2026-06-14T11:55:42.20791Z", "name": "Arsenal237_Rust_Compiled", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_Rust_Compiled\n{\n meta:\n description = \"Arsenal-237 Rust-compiled ransomware tools (encryptors and decryptors)\"\n malware_family = \"Arsenal-237\"\n compiler = \"Rust (rustc)\"\n severity = \"HIGH\"\n confidence = \"CONFIRMED\"\n date_created = \"2026-01-26\"\n\n strings:\n $chacha20_lib = \"chacha20\" nocase\n $poly1305_lib = \"poly1305\" nocase\n $hex_lib = \"hex\" nocase\n $rust_string1 = \"expand 32-byte k\"\n $rust_string2 = \"Decryption failed\" nocase\n\n condition:\n filesize > 900KB and filesize < 1MB and\n all of ($chacha20*, $poly1305*, $hex*) and\n $rust_string1\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--37b9f891-898f-5b27-a371-cb29241df693", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.20803Z", "modified": "2026-06-14T11:55:42.20803Z", "name": "Arsenal-237 dec_fixed.exe Decryption Tool Execution", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 dec_fixed.exe Decryption Tool Execution\nid: arsenal-237-dec-fixed-exe-execution\nstatus: experimental\ndescription: Detects execution of Arsenal-237 dec_fixed.exe decryption tool with --folder-a parameter\nauthor: The Hunters Ledger\ndate: 2026-01-26\nmodified: 2026-01-26\ntags:\n - ransomware\n - Arsenal-237\n - recovery_tool\n - decryption\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_process:\n Image|endswith: 'dec_fixed.exe'\n CommandLine|contains: '--folder-a'\n selection_hash:\n Hashes|contains:\n - 'SHA256=d73c4f127c5c0a7f9bf0f398e95dd55c7e8f6f6a5783c8cb314bd99c2d1c9802'\n - 'MD5=7c5493a0a5df52682a5c2ba433634601'\n - 'SHA1=29014d4d6fc42219cd9cdc130b868382cf2c14c2'\n condition: selection_process or selection_hash\nfalsepositives:\n - Legitimate victim decryption operations (low probability)\n - Manual testing of recovered decryptor samples\nlevel: medium\nseverity: low\ncomment: This is a recovery tool, not an active threat. Detection prioritizes victim identification for post-incident response.", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57656b92-0824-5176-ac74-6eecd5cd4f78", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.208156Z", "modified": "2026-06-14T11:55:42.208156Z", "name": "Arsenal-237 A-Z Directory Enumeration Pattern", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 A-Z Directory Enumeration Pattern\nid: arsenal-237-directory-traversal-pattern\nstatus: experimental\ndescription: Detects Arsenal-237 characteristic A-Z subdirectory enumeration for encrypted file discovery\nauthor: The Hunters Ledger\ndate: 2026-01-26\nmodified: 2026-01-26\ntags:\n - ransomware\n - Arsenal-237\n - discovery\n - directory_traversal\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_files:\n # Process accessing A-Z subdirectories in sequence\n TargetFilename|contains:\n - ':\\A\\'\n - ':\\B\\'\n - ':\\C\\'\n - ':\\D\\'\n - ':\\E\\'\n - ':\\F\\'\n - ':\\G\\'\n - ':\\H\\'\n - ':\\I\\'\n - ':\\J\\'\n - ':\\K\\'\n - ':\\L\\'\n - ':\\M\\'\n - ':\\N\\'\n - ':\\O\\'\n - ':\\P\\'\n - ':\\Q\\'\n - ':\\R\\'\n - ':\\S\\'\n - ':\\T\\'\n - ':\\U\\'\n - ':\\V\\'\n - ':\\W\\'\n - ':\\X\\'\n - ':\\Y\\'\n - ':\\Z\\'\n EventType: CreateFile\n filter_system:\n Image|contains:\n - 'System32'\n - 'Windows'\n condition: selection_files and not filter_system\nfalsepositives:\n - Batch file operations with organized directory structures\n - Backup software using A-Z organization\n - Development tools with systematic directory access\nlevel: medium\nseverity: low\ncomment: Ransomware-specific directory organization pattern, but low false positive threshold given legitimate uses.", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f88b4b06-81a1-51eb-9663-e05844d0ca9e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.208279Z", "modified": "2026-06-14T11:55:42.208279Z", "name": "Arsenal-237 Encrypted File Recovery (File Deletion Pattern)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 Encrypted File Recovery (File Deletion Pattern)\nid: arsenal-237-encrypted-file-recovery\nstatus: experimental\ndescription: Detects Arsenal-237 encrypted file recovery pattern - readme.txt deletion after file operations\nauthor: The Hunters Ledger\ndate: 2026-01-26\nmodified: 2026-01-26\ntags:\n - ransomware\n - Arsenal-237\n - recovery_tool\n - ransomware_cleanup\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_cleanup:\n EventType: FileDelete\n TargetFilename|endswith: 'readme.txt'\n selection_context:\n # readme.txt deletion following creation of files in same directory\n Image|endswith:\n - 'dec_fixed.exe'\n - 'powershell.exe'\n - 'cmd.exe'\n timespan: 5m\n condition: selection_cleanup and selection_context\nfalsepositives:\n - Manual cleanup of ransom notes by IT teams\n - Cleanup scripts deleting readme.txt files (common filename)\n - Standard application installations deleting readme files\nlevel: low\nseverity: low\ncomment: Low confidence indicator due to generic nature of readme.txt deletion. Use in conjunction with other indicators.", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9e918263-9096-5679-a553-e13823014aa7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.208403Z", "modified": "2026-06-14T11:55:42.208403Z", "name": "Arsenal-237 ChaCha20-Poly1305 Cryptographic Operations", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 ChaCha20-Poly1305 Cryptographic Operations\nid: arsenal-237-chacha20-operations\nstatus: experimental\ndescription: Detects ChaCha20-Poly1305 AEAD cryptographic operations consistent with Arsenal-237 tools\nauthor: The Hunters Ledger\ndate: 2026-01-26\nmodified: 2026-01-26\ntags:\n - ransomware\n - Arsenal-237\n - cryptography\n - decryption\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_modules:\n # Rust libraries for ChaCha20-Poly1305 implementation\n ImageLoaded|contains:\n - 'chacha20'\n - 'poly1305'\n - 'aead'\n selection_process:\n ParentImage|endswith:\n - 'cmd.exe'\n - 'powershell.exe'\n - 'explorer.exe'\n filter_system:\n Image|contains:\n - 'System32'\n - 'Windows'\n condition: selection_modules and selection_process and not filter_system\nfalsepositives:\n - Legitimate cryptographic applications\n - Development environments using cryptographic libraries\n - Security tools performing encryption/decryption\nlevel: low\nseverity: low\ncomment: Generic cryptographic indicator with high false positive rate. Most valuable in incident response context.", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7b28c91c-b6ff-5e98-9056-7d9eec76fd63", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.208527Z", "modified": "2026-06-14T11:55:42.208527Z", "name": "Splunk SPL Query 1: Process Execution Hunting", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:Sysmon EventCode=1\n (process_name=dec_fixed.exe OR command_line=\"*--folder-a*\")\n| stats count by host, process_name, command_line, user\n| where count > 0", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9046dc0d-8f2a-59f8-9881-52cc9681b714", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.208649Z", "modified": "2026-06-14T11:55:42.208649Z", "name": "Splunk SPL Query 2: File Access Pattern Detection", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:Sysmon EventCode=11\n (TargetFilename=\"*:\\A\\*\" OR TargetFilename=\"*:\\B\\*\" OR TargetFilename=\"*:\\C\\*\")\n earliest=-24h\n| stats count by host, Image, TargetFilename\n| where count > 50\n| eval suspicious=if(count>100, \"POSSIBLE\", \"MONITOR\")", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7b65b31a-24e6-5fef-a5c8-2cbaa02e275f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.208775Z", "modified": "2026-06-14T11:55:42.208775Z", "name": "Splunk SPL Query 3: Ransom Note Deletion Hunting", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:Sysmon EventCode=23\n TargetFilename=\"*readme.txt\"\n| stats count by host, Image, TargetFilename\n| where Image!=\"*explorer.exe\" AND Image!=\"*Windows*\"", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2fb74347-3d7c-5c35-b297-b782df112c13", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.208902Z", "modified": "2026-06-14T11:55:42.208902Z", "name": "Splunk SPL Query 4: File Correlation - Creation and Deletion", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:Sysmon EventCode IN (11, 23)\n| stats earliest(_time) as first_event, latest(_time) as last_event by host, Image\n| where (last_event - first_event) < 300\n| table host, Image, first_event, last_event\n| eval time_delta=round(last_event - first_event)", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d313e0-0552-5efe-80ec-81ca22e079a0", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.209029Z", "modified": "2026-06-14T11:55:42.209029Z", "name": "KQL (Azure Sentinel) Query 1: Process Execution", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceProcessEvents\n| where FileName == \"dec_fixed.exe\" and CommandLine contains \"--folder-a\"\n| summarize count() by DeviceName, ProcessCommandLine, Timestamp\n| where count_ > 0", "pattern_type": "kql", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7bf0c003-c753-5296-aa15-6fdaf5e5adac", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.209159Z", "modified": "2026-06-14T11:55:42.209159Z", "name": "KQL (Azure Sentinel) Query 2: File Activity Correlation", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceFileEvents\n| where ActionType in (\"FileCreated\", \"FileModified\")\n and FolderPath contains \":\\\\\"\n and Timestamp > ago(24h)\n| summarize file_count=count() by DeviceName, InitiatingProcessFileName\n| where file_count > 100\n| join kind=inner (\n DeviceFileEvents\n | where ActionType == \"FileDeleted\" and FileName == \"readme.txt\"\n ) on DeviceName", "pattern_type": "kql", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--797cac04-c8b0-5673-8d80-d0fe0ec4c59c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.20929Z", "modified": "2026-06-14T11:55:42.20929Z", "name": "enc_c2_exe_file_hash", "indicator_types": [ "malicious-activity" ], "pattern": "rule enc_c2_exe_file_hash {\n meta:\n description = \"Detects enc_c2.exe ransomware sample by hash\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n malware_type = \"Ransomware\"\n malware_family = \"Arsenal-237\"\n severity = \"CRITICAL\"\n\n hash:\n sha256 = \"613d4d0f1612686742889e834ebc9ebff6ae021cf81a4c50f66369195ca01899\"\n md5 = \"32a3497e57604e1037f1ff9993a8fdaa\"\n sha1 = \"34d3c75e79633eb3bf47e751fb31274760aeae09\"\n\n condition:\n any of them\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--522259a6-cc5f-523d-ac8b-14ed400d23f0", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.209423Z", "modified": "2026-06-14T11:55:42.209423Z", "name": "chacha20_encryption_constants", "indicator_types": [ "malicious-activity" ], "pattern": "rule chacha20_encryption_constants {\n meta:\n description = \"Detects ChaCha20 cipher implementation (ransomware encryption)\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n malware_type = \"Ransomware\"\n severity = \"HIGH\"\n\n strings:\n $chacha_constant_1 = \"expand 32-byte k\" ascii\n $chacha_constant_2 = \"Chacha_256_constant\" ascii\n $chacha_library = \"aead-0.5.2\" ascii\n $chacha_function = \"chacha20\" ascii nocase\n\n condition:\n any of them\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6c8833ca-5ba6-5412-884c-c965de16a608", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.209566Z", "modified": "2026-06-14T11:55:42.209566Z", "name": "tor_hidden_service_c2", "indicator_types": [ "malicious-activity" ], "pattern": "rule tor_hidden_service_c2 {\n meta:\n description = \"Detects Tor hidden service C2 communication infrastructure\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n malware_type = \"C2 Infrastructure\"\n severity = \"CRITICAL\"\n\n strings:\n $c2_domain = \"rustydl5ak6p6ajqnja6qzkxvp5huhe4olpdsq5oy75ea4o34aalpkqd.onion\" ascii\n $c2_endpoint = \"/c2/beacon.php\" ascii\n $c2_protocol = \"POST /c2/beacon.php\" ascii\n $onion_tld = \".onion\" ascii\n\n condition:\n any of them\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--00601262-681e-5f6e-8cee-717b2be52875", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.20975Z", "modified": "2026-06-14T11:55:42.20975Z", "name": "raas_builder_tracking", "indicator_types": [ "malicious-activity" ], "pattern": "rule raas_builder_tracking {\n meta:\n description = \"Detects RaaS builder ID and affiliate tracking\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n malware_type = \"Ransomware (RaaS)\"\n severity = \"MEDIUM\"\n\n strings:\n $builder_id_default = \"TEST_BUILD_001\" ascii\n $builder_id_generic = \"builder_id\" ascii\n $victim_id = \"victim_id\" ascii\n $encryption_key = \"encryption_key\" ascii\n $machine_info = \"machine_info\" ascii\n\n condition:\n (($builder_id_default and $builder_id_generic) or\n ($builder_id_generic and $encryption_key and $victim_id and $machine_info))\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--df7c3436-9e3c-56b3-911e-fb71c39f2bd6", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.209885Z", "modified": "2026-06-14T11:55:42.209885Z", "name": "enc_c2_ransomware_operations", "indicator_types": [ "malicious-activity" ], "pattern": "rule enc_c2_ransomware_operations {\n meta:\n description = \"Detects enc_c2 ransomware operational strings\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n malware_type = \"Ransomware\"\n severity = \"HIGH\"\n\n strings:\n $ransom_msg = \"YOUR FILES HAVE BEEN ENCRYPTED!\" ascii\n $ransom_note = \"README.txt\" ascii\n $encrypted_extension = \".locked\" ascii\n $enc_c2_executable = \"enc_c2.exe\" ascii\n $http_client = \"ureq\" ascii\n\n condition:\n 3 of them\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7c6a66a7-c3bc-5856-b620-a793ac163aa3", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.210016Z", "modified": "2026-06-14T11:55:42.210016Z", "name": "teb_anti_debug_detection", "indicator_types": [ "malicious-activity" ], "pattern": "rule teb_anti_debug_detection {\n meta:\n description = \"Detects TEB-based anti-debugging in enc_c2.exe\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n malware_type = \"Anti-Analysis\"\n severity = \"MEDIUM\"\n\n strings:\n $teb_api = \"NtCurrentTeb\" ascii\n $stack_base = \"StackBase\" ascii\n $sleep_loop = { 68 88 13 00 00 FF 15 } // Push 0x1388 (5000ms) / Call Sleep\n $sleep_1000 = { 68 E8 03 00 00 FF 15 } // Push 0x3E8 (1000ms) / Call Sleep\n\n condition:\n ($teb_api and ($sleep_loop or $sleep_1000))\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a468b071-fa26-5f52-bd35-b5e3654ece81", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.210157Z", "modified": "2026-06-14T11:55:42.210157Z", "name": "rust_compilation_artifacts", "indicator_types": [ "malicious-activity" ], "pattern": "rule rust_compilation_artifacts {\n meta:\n description = \"Detects Rust compiler artifacts in malware binaries\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n malware_type = \"Rust-based Malware\"\n severity = \"MEDIUM\"\n\n strings:\n $rust_lib_path = \"/root/.cargo/registry/src/\" ascii\n $crates_io = \"index.crates.io\" ascii\n $rustc = \"rustc\" ascii\n $rust_std = \"std\" ascii\n\n condition:\n 2 of them\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4b05e0ce-26af-5bb8-948f-f78da48a1de3", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.21034Z", "modified": "2026-06-14T11:55:42.21034Z", "name": "enc_c2.exe Process Execution - Ransomware", "indicator_types": [ "malicious-activity" ], "pattern": "title: enc_c2.exe Process Execution - Ransomware\ndescription: Detects execution of enc_c2.exe ransomware executable\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_filename:\n - Image|endswith: 'enc_c2.exe'\n - OriginalFileName: 'enc_c2.exe'\n selection_commandline:\n CommandLine|contains:\n - 'enc_c2.exe'\n - '--folder'\n - '--c2'\n - '--bid'\n condition: selection_filename or selection_commandline\nfalsepositives:\n - None expected\nlevel: critical\ntags:\n - attack.execution\n - attack.t1204.002\n - attack.impact\n - attack.t1486", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3169826b-d523-5ed1-8bb7-ef15a48a83f2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.210511Z", "modified": "2026-06-14T11:55:42.210511Z", "name": "Ransomware - File Creation with .locked Extension", "indicator_types": [ "malicious-activity" ], "pattern": "title: Ransomware - File Creation with .locked Extension\ndescription: Detects creation of encrypted files with .locked extension appended\nlogsource:\n product: windows\n category: file_event\ndetection:\n selection:\n TargetFilename|endswith: '.locked'\n filter_excludes:\n - TargetFilename|contains:\n - '~$'\n - 'Temp'\n condition: selection and not filter_excludes\nfalsepositives:\n - Legitimate .locked files (rare)\nlevel: high\ntags:\n - attack.impact\n - attack.t1486", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e4455bbf-a13a-577f-b0f8-67200df89965", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.210854Z", "modified": "2026-06-14T11:55:42.210854Z", "name": "Ransomware - Ransom Note Creation (README.txt)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Ransomware - Ransom Note Creation (README.txt)\ndescription: Detects creation of README.txt ransom notes in user-accessible directories\nlogsource:\n product: windows\n category: file_event\ndetection:\n selection_file:\n TargetFilename|endswith: 'README.txt'\n selection_location:\n TargetFilename|contains:\n - 'C:\\Users\\'\n - 'C:\\Documents'\n - 'C:\\Desktop'\n selection_content:\n Contents|contains: 'YOUR FILES HAVE BEEN ENCRYPTED'\n condition: selection_file and selection_location\nfalsepositives:\n - Legitimate README files (unlikely with encrypted content)\nlevel: high\ntags:\n - attack.impact\n - attack.t1486", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6f65c37e-fe7f-5662-8705-1b354efe674c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.211118Z", "modified": "2026-06-14T11:55:42.211118Z", "name": "Network - HTTP POST to .onion Domain (Tor C2)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Network - HTTP POST to .onion Domain (Tor C2)\ndescription: Detects HTTP POST requests to .onion hidden service domains (Tor C2 communication)\nlogsource:\n product: firewall\n category: http_request\ndetection:\n selection:\n http_method: POST\n http_host|endswith: '.onion'\n http_uri: '/c2/beacon.php'\n selection_target:\n http_host|contains: 'rustydl5ak6p6ajqnja6qzkxvp5huhe4olpdsq5oy75ea4o34aalpkqd'\n condition: selection or selection_target\nfalsepositives:\n - Legitimate Tor traffic (unlikely in enterprise environment)\nlevel: critical\ntags:\n - attack.command_and_control\n - attack.t1071.001\n - attack.t1090.003", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b705daf2-6d7c-5e89-ae2e-085ac95318b5", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.211353Z", "modified": "2026-06-14T11:55:42.211353Z", "name": "Network - Outbound Connection to Tor Entry Node", "indicator_types": [ "malicious-activity" ], "pattern": "title: Network - Outbound Connection to Tor Entry Node\ndescription: Detects outbound connections to known Tor entry nodes (indicates Tor client usage)\nlogsource:\n product: firewall\n category: network_connection\ndetection:\n selection:\n DestinationPort: 443\n DestinationIp|startswith:\n - '109.105.'\n - '188.226.'\n - '195.154.'\n - '198.51.100.'\n - '203.0.113.'\n selection_direction:\n Direction: 'Outbound'\n filter_whitelisted:\n DestinationIp|in:\n - '8.8.8.8'\n - '1.1.1.1'\n condition: selection and selection_direction and not filter_whitelisted\nfalsepositives:\n - Legitimate VPN traffic\n - Tor Browser usage (expected in some environments)\nlevel: high\ntags:\n - attack.command_and_control\n - attack.t1090.003", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d9f0e435-1429-55ef-8cec-a5b14f6f6d26", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.211655Z", "modified": "2026-06-14T11:55:42.211655Z", "name": "Registry - Absence of Ransomware Persistence Mechanisms", "indicator_types": [ "malicious-activity" ], "pattern": "title: Registry - Absence of Ransomware Persistence Mechanisms\ndescription: Verifies that systems do not contain persistence registry keys for known ransomware\nlogsource:\n product: windows\n category: registry_event\ndetection:\n selection:\n RegistryPath|contains:\n - 'Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n - 'Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce'\n - 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'\n RegistryValue|contains:\n - 'enc_c2'\n - 'TEST_BUILD_001'\n condition: selection\nfalsepositives:\n - None\nlevel: medium\ntags:\n - attack.persistence\n - detection_gap\nnote: 'enc_c2.exe appears to use single-run model without persistence; this rule detects if infected systems show persistence artifacts'", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7a83678e-7fa5-51e8-a1df-f3cfccad473a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.211876Z", "modified": "2026-06-14T11:55:42.211876Z", "name": "Process - TEB Anti-Debug Sleep Loop Detection", "indicator_types": [ "malicious-activity" ], "pattern": "title: Process - TEB Anti-Debug Sleep Loop Detection\ndescription: Detects repeated Sleep(1000) calls indicating TEB-based anti-debugging\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n Image|endswith: 'enc_c2.exe'\n CallTrace|contains:\n - 'Sleep'\n - 'SleepEx'\n - '0x3E8' # 1000 milliseconds in hex\n filter_normal:\n CallCount|lt: 3 # Allow normal sleep calls\n condition: selection and not filter_normal\nfalsepositives:\n - Legitimate applications with sleep loops (rate limiting, polling)\nlevel: medium\ntags:\n - attack.defense_evasion\n - attack.t1622", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a788e55e-a520-5dc9-bd98-abbb36c3a04e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.212058Z", "modified": "2026-06-14T11:55:42.212058Z", "name": "Splunk Query 1: enc_c2.exe Process Execution", "indicator_types": [ "malicious-activity" ], "pattern": "index=sysmon EventID=1 (CommandLine=\"*enc_c2.exe*\" OR Image=\"*enc_c2.exe\")\n| stats earliest(_time) as first_exec, latest(_time) as last_exec, count as exec_count by host, Image, CommandLine\n| where count >= 1\n| table host, Image, CommandLine, first_exec, last_exec, exec_count", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--76803065-b394-5d47-aeda-bce564b7c3d2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.212241Z", "modified": "2026-06-14T11:55:42.212241Z", "name": "Splunk Query 2: Bulk File Encryption Pattern Detection", "indicator_types": [ "malicious-activity" ], "pattern": "index=sysmon EventID=11 (TargetFilename=\"*.locked\")\n| stats count as locked_files earliest(_time) as encryption_start latest(_time) as encryption_end by host, Image, User\n| eval encryption_duration=encryption_end-encryption_start\n| where locked_files > 50 AND encryption_duration < 600\n| table host, Image, User, locked_files, encryption_start, encryption_duration", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--33918666-1e5a-5a7b-a599-b4ac0af0d5f5", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.21243Z", "modified": "2026-06-14T11:55:42.21243Z", "name": "Splunk Query 3: README.txt Ransom Note Detection", "indicator_types": [ "malicious-activity" ], "pattern": "index=sysmon EventID=11 TargetFilename=\"*README.txt\" (TargetFilename=\"*Users*\" OR TargetFilename=\"*Documents*\" OR TargetFilename=\"*Desktop*\")\n| stats count as readme_count earliest(_time) as first_note by host, User\n| search count > 0\n| table host, User, first_note, readme_count", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d4dbd52c-d42d-5ae9-8fde-c141603549ee", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.212613Z", "modified": "2026-06-14T11:55:42.212613Z", "name": "Splunk Query 4: Tor Hidden Service C2 Communication", "indicator_types": [ "malicious-activity" ], "pattern": "index=proxy http_method=POST (uri=\"*c2/beacon.php\" OR http_host=\"*rustydl5ak6p6ajqnja6qzkxvp5huhe4olpdsq5oy75ea4o34aalpkqd.onion\")\n| stats earliest(_time) as beacon_time, latest(_time) as last_beacon by host, src_ip, dest_ip, http_host\n| eval beacons=count\n| table host, src_ip, dest_ip, http_host, beacon_time, beacons", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ab3d5526-e478-51bf-88b5-a99ca1f28114", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.212802Z", "modified": "2026-06-14T11:55:42.212802Z", "name": "Splunk Query 5: Correlation - Process + File Encryption + C2 Communication", "indicator_types": [ "malicious-activity" ], "pattern": "index=sysmon EventID=1 CommandLine=\"*enc_c2.exe*\"\n| stats earliest(_time) as proc_exec by host\n| join host\n [search index=sysmon EventID=11 TargetFilename=\"*.locked\" | stats earliest(_time) as file_encrypt by host]\n| join host\n [search index=proxy http_host=\"*onion\" | stats earliest(_time) as c2_beacon by host]\n| eval proc_to_file=(file_encrypt-proc_exec), file_to_c2=(c2_beacon-file_encrypt)\n| where proc_to_file > 0 AND proc_to_file < 600\n| table host, proc_exec, file_encrypt, c2_beacon, proc_to_file, file_to_c2\n| alert", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fb83e018-3ace-55e3-80c0-7daccbccaef7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.212995Z", "modified": "2026-06-14T11:55:42.212995Z", "name": "RANSOMWARE enc_c2.exe Tor C2 Beacon - /c2/beacon.php", "indicator_types": [ "malicious-activity" ], "pattern": "alert http $HOME_NET any -> $EXTERNAL_NET any (\n msg:\"RANSOMWARE enc_c2.exe Tor C2 Beacon - /c2/beacon.php\";\n content:\"POST\"; http_method;\n content:\".onion\"; http_uri;\n content:\"rustydl5ak6p6ajqnja6qzkxvp5huhe4olpdsq5oy75ea4o34aalpkqd.onion\"; http_host;\n content:\"Content-Type|3a| application/json\"; http_header;\n flow:to_server,established;\n classtype:trojan-activity;\n sid:1000001;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2ab438ee-d558-5bbd-a63b-48e44ed42753", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.213174Z", "modified": "2026-06-14T11:55:42.213174Z", "name": "RANSOMWARE - Tor Entry Node Connection (Possible Tor Client)", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> [109.105.0.0/16,188.226.0.0/15,195.154.0.0/16] 443 (\n msg:\"RANSOMWARE - Tor Entry Node Connection (Possible Tor Client)\";\n flow:to_server,established;\n content:\"|16|03|01|\";\n depth:3;\n classtype:suspicious-behavior;\n sid:1000002;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--048d83e8-0d11-55ca-a897-31eef337c93a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.213378Z", "modified": "2026-06-14T11:55:42.213378Z", "name": "Hunting Query 1: Search for enc_c2.exe Variants", "indicator_types": [ "malicious-activity" ], "pattern": "(FileName=\"enc_c2.exe\" OR FileName=\"*enc_c2*\" OR FileDescription=\"*enc_c2*\")\n| stats count as variant_count by MD5, SHA256, FileSize\n| search FileSize > 3000000", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--139d7adf-4949-5bb5-ac51-012bc7bce56a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.213563Z", "modified": "2026-06-14T11:55:42.213563Z", "name": "Hunting Query 3: .locked File Creation Timeline", "indicator_types": [ "malicious-activity" ], "pattern": "TargetFilename=\"*.locked\" OR FileName=\"*.locked\"\n| timechart count by host\n| search count > 10\n| table host, count, _time", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6db27f16-38fd-55b0-a0de-517a8b41cd98", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.213769Z", "modified": "2026-06-14T11:55:42.213769Z", "name": "Hunting Query 4: Tor Traffic from Non-VPN Processes", "indicator_types": [ "malicious-activity" ], "pattern": "NetworkDev\n| where DestinationPort == 443 and DestinationIp contains \"89.163\" or \"190.3\" or \"204.85\"\n| where InitiatingProcessName != \"firefox.exe\" and InitiatingProcessName != \"tor.exe\"\n| project TimeGenerated, ComputerName, InitiatingProcessName, DestinationIp, DestinationPort", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d2bc84c4-86a6-5a28-add3-24140aa86705", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.213966Z", "modified": "2026-06-14T11:55:42.213966Z", "name": "Hunting Query 5: SOCKS Proxy Connections", "indicator_types": [ "malicious-activity" ], "pattern": "DestinationPort IN (9050, 9150) AND DestinationIp IN (127.0.0.1, localhost)\n| stats count as socks_connections by host, Image, DestinationPort\n| search count > 0", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4dbe3444-4e81-56f5-94ad-304fb164aa29", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.214145Z", "modified": "2026-06-14T11:55:42.214145Z", "name": "Chromelevator_Browser_Credential_Extraction", "indicator_types": [ "malicious-activity" ], "pattern": "rule Chromelevator_Browser_Credential_Extraction {\n meta:\n description = \"Detects chromelevator.exe browser credential extraction tool\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"CRITICAL\"\n category = \"trojan\"\n family = \"Arsenal-237\"\n\n strings:\n // Primary identifiers\n $filename = \"chromelevator.exe\" nocase ascii\n $payload = \"PAYLOAD_DLL\" nocase ascii\n\n // Browser targeting\n $chrome = \"chrome.exe\" nocase ascii\n $brave = \"brave.exe\" nocase ascii\n $edge = \"msedge.exe\" nocase ascii\n\n // Functional strings\n $named_pipe = \"Named pipe server created\" nocase ascii\n $reflective = \"ReflectiveLoader\" nocase ascii\n $extraction = \"Extracted\" nocase ascii\n $cookies = \"cookies\" nocase ascii\n $passwords = \"passwords\" nocase ascii\n $payments = \"payments\" nocase ascii\n\n // Command-line arguments\n $verbose = \"--verbose\" nocase ascii\n $fingerprint = \"--fingerprint\" nocase ascii\n $output = \"--output-path\" nocase ascii\n $help = \"--help\" nocase ascii\n\n // API calls\n $create_pipe = \"CreateNamedPipeW\" nocase ascii\n $connect_pipe = \"ConnectNamedPipe\" nocase ascii\n $find_resource = \"FindResourceW\" nocase ascii\n $load_resource = \"LoadResource\" nocase ascii\n\n condition:\n // Definite detection: filename + payload + extraction capability\n ($filename and $payload and ($extraction or ($cookies and $passwords))) or\n\n // Strong detection: multiple browser targets + extraction capability\n (3 of ($chrome, $brave, $edge) and 2 of ($extraction, $cookies, $passwords)) or\n\n // Behavioral detection: reflective loading + named pipe + browser targeting\n ($reflective and $named_pipe and any of ($chrome, $brave, $edge)) or\n\n // Command-line argument signature\n (2 of ($verbose, $fingerprint, $output, $help) and any of ($chrome, $brave, $edge))\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3dd48bf1-3e4d-51de-9fef-6232e464f3fd", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.214325Z", "modified": "2026-06-14T11:55:42.214325Z", "name": "Arsenal237_Direct_Syscall_Framework", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_Direct_Syscall_Framework {\n meta:\n description = \"Detects direct syscall implementation used by Arsenal-237 components\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"CRITICAL\"\n category = \"evasion\"\n\n strings:\n // Zw* syscall functions (EDR bypass)\n $zw_alloc = \"ZwAllocateVirtualMemory\" nocase ascii\n $zw_write = \"ZwWriteVirtualMemory\" nocase ascii\n $zw_read = \"ZwReadVirtualMemory\" nocase ascii\n $zw_protect = \"ZwProtectVirtualMemory\" nocase ascii\n $zw_create_thread = \"ZwCreateThreadEx\" nocase ascii\n $zw_open_proc = \"ZwOpenProcess\" nocase ascii\n $zw_query_proc = \"ZwQueryInformationProcess\" nocase ascii\n $zw_context = \"ZwGetContextThread\" nocase ascii\n $zw_set_context = \"ZwSetContextThread\" nocase ascii\n $zw_resume = \"ZwResumeThread\" nocase ascii\n\n // Multiple syscalls indicate framework\n $zw_pattern = /Zw[A-Z][a-zA-Z]+/\n\n condition:\n // Multiple critical syscalls indicate EDR bypass framework\n (5 of ($zw_alloc, $zw_write, $zw_protect, $zw_create_thread, $zw_open_proc)) or\n\n // Pattern-based detection of systematic syscall usage\n (all of them and #zw_pattern >= 10)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dae5ac10-9336-5802-b484-9ae2e3ad87ba", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.214509Z", "modified": "2026-06-14T11:55:42.214509Z", "name": "Reflective_DLL_Injection_Framework", "indicator_types": [ "malicious-activity" ], "pattern": "rule Reflective_DLL_Injection_Framework {\n meta:\n description = \"Detects reflective DLL injection implementation\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"CRITICAL\"\n category = \"execution\"\n\n strings:\n // PE header parsing\n $dos_header = \"MZ\" at 0\n $nt_header = \"PE\" at 60\n $pe_sig = { 50 45 00 00 } // \"PE\\x00\\x00\"\n\n // Reflective loader\n $reflective_loader = \"ReflectiveLoader\" nocase ascii\n $reflective_export = \"reflective\" nocase ascii wide\n\n // PE parsing functions\n $dos_hdr = \"DOS\" nocase ascii\n $file_hdr = \"File\" nocase ascii\n $opt_hdr = \"Optional\" nocase ascii\n\n // Memory injection indicators\n $alloc = \"VirtualAllocEx\" nocase ascii\n $write = \"WriteProcessMemory\" nocase ascii\n $protect = \"VirtualProtectEx\" nocase ascii\n $create_remote = \"CreateRemoteThread\" nocase ascii\n\n // Direct syscall injection\n $zw_alloc = \"ZwAllocateVirtualMemory\" nocase ascii\n $zw_write = \"ZwWriteVirtualMemory\" nocase ascii\n $zw_protect = \"ZwProtectVirtualMemory\" nocase ascii\n $zw_create = \"ZwCreateThreadEx\" nocase ascii\n\n condition:\n // Reflective DLL loading pattern\n ($reflective_loader and $dos_header and $nt_header) or\n\n // Reflective injection via direct syscalls\n ($reflective_loader and all of ($zw_alloc, $zw_write, $zw_protect, $zw_create)) or\n\n // Reflective injection via Windows APIs\n ($reflective_loader and all of ($alloc, $write, $protect, $create_remote))\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a0793479-4668-5c06-a4ea-1fabc89d38aa", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.214707Z", "modified": "2026-06-14T11:55:42.214707Z", "name": "Suspicious Process Creation - chromelevator.exe", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Process Creation - chromelevator.exe\ndescription: Detects execution of chromelevator.exe browser credential extraction tool\nstatus: experimental\nauthor: The Hunters Ledger\ndate: 2026/01/26\nseverity: CRITICAL\ntags:\n - attack.credential_access\n - attack.t1555.003\n - attack.defense_evasion\n - malware.arsenal237\n\ndetection:\n selection_image:\n Image|endswith: 'chromelevator.exe'\n\n selection_commandline:\n CommandLine|contains:\n - '--verbose'\n - '--fingerprint'\n - '--output-path'\n\n filter_legitimate:\n ParentImage|contains:\n - 'chrome.exe'\n - 'msedge.exe'\n - 'firefox.exe'\n\n condition: selection_image and (selection_commandline or 1 of selection_*)\n\nfalsepositives:\n - Legitimate browser management tools\n - System administrators testing security\n\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--623d1206-14a7-5311-8a3a-4e0d696a173c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.214886Z", "modified": "2026-06-14T11:55:42.214886Z", "name": "Suspicious Named Pipe Creation - Reflective Injection C2", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Named Pipe Creation - Reflective Injection C2\ndescription: Detects named pipe creation patterns associated with process injection and C2 communication\nstatus: experimental\nauthor: The Hunters Ledger\ndate: 2026/01/26\nseverity: CRITICAL\ntags:\n - attack.execution\n - attack.t1055.001\n - attack.command_and_control\n - malware.arsenal237\n\ndetection:\n selection_event:\n EventID:\n - 23 # Pipe created\n - 24 # Pipe connected\n\n selection_pipe_pattern:\n PipeName|contains:\n - '\\\\.\\pipe\\'\n\n selection_source_process:\n Image|endswith:\n - 'chromelevator.exe'\n - 'explorer.exe' # for credential harvesting variants\n - 'svchost.exe' # for persistence variants\n\n filter_legitimate:\n PipeName|contains:\n - 'lsass'\n - 'winlogon'\n - 'winspool'\n - 'netdde'\n\n condition: selection_event and selection_pipe_pattern and selection_source_process and not filter_legitimate\n\nfalsepositives:\n - Legitimate RPC communication\n - Named pipe usage by antivirus/EDR solutions\n\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--aaac0032-d5cd-50de-97d4-382c4bd9aa2d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.215063Z", "modified": "2026-06-14T11:55:42.215063Z", "name": "Suspicious Process Injection - Memory Allocation Pattern", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Process Injection - Memory Allocation Pattern\ndescription: Detects process injection through memory allocation, writing, and thread creation sequence\nstatus: experimental\nauthor: The Hunters Ledger\ndate: 2026/01/26\nseverity: CRITICAL\ntags:\n - attack.execution\n - attack.t1055.001\n - attack.defense_evasion\n\ndetection:\n selection_target_processes:\n TargetImage|endswith:\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n - 'firefox.exe'\n\n selection_suspicious_apis:\n EventType:\n - 'CallCreateRemoteThreadApi'\n - 'CallVirtualAllocExApi'\n - 'CallWriteProcessMemoryApi'\n - 'CallVirtualProtectExApi'\n EventID: 10 # Image loaded\n\n selection_sequence:\n API|contains|all:\n - 'AllocateVirtualMemory'\n - 'WriteVirtualMemory'\n - 'ProtectVirtualMemory'\n - 'CreateThreadEx'\n\n condition: selection_target_processes and 3 of (selection_suspicious_apis, selection_sequence)\n\nfalsepositives:\n - Legitimate software using process injection (installers, debuggers)\n\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bfb6c6c7-eb32-5bdd-be25-faeed0192bfa", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.215259Z", "modified": "2026-06-14T11:55:42.215259Z", "name": "Suspicious Browser Credential Database Access", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Browser Credential Database Access\ndescription: Detects access to Chrome/Brave/Edge credential databases by non-browser processes\nstatus: experimental\nauthor: The Hunters Ledger\ndate: 2026/01/26\nseverity: CRITICAL\ntags:\n - attack.credential_access\n - attack.t1555.003\n\ndetection:\n selection_browser_db_access:\n TargetFilename|contains|all:\n - 'User Data'\n - 'Login Data'\n OR:\n - TargetFilename|contains:\n - 'Chrome\\\\User Data\\\\Default\\\\Cookies'\n - 'Brave-Browser\\\\User Data\\\\Default\\\\Cookies'\n - 'Edge\\\\User Data\\\\Default\\\\Cookies'\n - 'Google\\\\Chrome\\\\User Data\\\\Default\\\\Web Data'\n\n selection_process_exclusion:\n Image|endswith:\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n - 'firefox.exe'\n\n filter_system_process:\n User|contains: 'SYSTEM'\n\n condition: selection_browser_db_access and not (selection_process_exclusion or filter_system_process)\n\nfalsepositives:\n - Browser backup/sync tools\n - Password managers accessing browser data\n - System recovery tools\n\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f271c625-feb2-5827-9016-2fe577eb0bd5", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.215446Z", "modified": "2026-06-14T11:55:42.215446Z", "name": "Suspicious Direct Syscall Usage - EDR Bypass", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Direct Syscall Usage - EDR Bypass\ndescription: Detects direct syscall invocation bypassing Windows API monitoring\nstatus: experimental\nauthor: The Hunters Ledger\ndate: 2026/01/26\nseverity: CRITICAL\ntags:\n - attack.defense_evasion\n - attack.t1622\n - malware.arsenal237\n\ndetection:\n selection_syscall_pattern:\n EventID:\n - 8 # CreateRemoteThread\n - 10 # ProcessAccess (syscall-based)\n\n selection_suspicious_syscalls:\n API|contains|any:\n - 'ZwAllocateVirtualMemory'\n - 'ZwWriteVirtualMemory'\n - 'ZwCreateThreadEx'\n - 'ZwProtectVirtualMemory'\n - 'ZwOpenProcess'\n\n selection_target:\n TargetImage|endswith:\n - 'chrome.exe'\n - 'brave.exe'\n - 'msedge.exe'\n\n condition: all of selection_*\n\nfalsepositives:\n - System administration tools\n - Debugging tools\n\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5662179e-e962-5f13-9708-9f619feb4ef6", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.215631Z", "modified": "2026-06-14T11:55:42.215631Z", "name": "chromelevator.exe Process Creation", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceProcessEvents\n| where ProcessName has \"chromelevator.exe\"\n| where CommandLine contains \"--verbose\" or CommandLine contains \"--output-path\" or CommandLine contains \"--fingerprint\"\n| project\n Timestamp,\n DeviceName,\n ProcessId,\n ProcessName,\n CommandLine,\n ParentProcessName,\n AccountName,\n ProcessCommandLine\n| order by Timestamp desc", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9496950c-f698-5246-b7e0-913d335e8fc7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.215817Z", "modified": "2026-06-14T11:55:42.215817Z", "name": "Named Pipe Creation by Suspicious Processes", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceFileEvents\n| where FileName has \"pipe\" and FileName has \".\\\\pipe\\\\\"\n| where InitiatingProcessName has \"chromelevator.exe\" or InitiatingProcessName has \"explorer.exe\"\n| join kind=inner (\n DeviceProcessEvents\n | where ProcessName has \"chromelevator.exe\"\n) on DeviceId, InitiatingProcessId\n| project\n Timestamp,\n DeviceName,\n FileName,\n InitiatingProcessName,\n ActionType,\n AccountName\n| order by Timestamp desc", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1d7c9385-eceb-5a9b-880f-45908851e2fd", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.215995Z", "modified": "2026-06-14T11:55:42.215995Z", "name": "Process Injection Detection - Memory Operations Sequence", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceProcessEvents\n| where ProcessName has \"chrome.exe\" or ProcessName has \"brave.exe\" or ProcessName has \"msedge.exe\"\n| where ActionType has \"VirtualAllocEx\" or ActionType has \"WriteProcessMemory\" or ActionType has \"CreateRemoteThread\"\n| project\n Timestamp,\n DeviceName,\n ProcessName,\n ParentProcessName,\n ActionType,\n AccountName\n| order by Timestamp desc\n| extend\n InjectionIndicator = iff(ActionType == \"VirtualAllocEx\", \"Allocation\",\n iff(ActionType == \"WriteProcessMemory\", \"Writing\",\n iff(ActionType == \"CreateRemoteThread\", \"Execution\", \"Unknown\")))\n| where InjectionIndicator != \"Unknown\"", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cca7f767-09a3-5173-9443-e4c121938db4", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.216181Z", "modified": "2026-06-14T11:55:42.216181Z", "name": "Browser Database Access by Non-Browser Processes", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceFileEvents\n| where FileName contains_cs @\"User Data\" and FileName contains_cs @\"Login Data\"\n| where InitiatingProcessName !has_cs \"chrome.exe\" and\n InitiatingProcessName !has_cs \"brave.exe\" and\n InitiatingProcessName !has_cs \"msedge.exe\" and\n InitiatingProcessName !has_cs \"firefox.exe\"\n| where ActionType == \"FileRead\" or ActionType == \"FileModified\"\n| project\n Timestamp,\n DeviceName,\n FileName,\n InitiatingProcessName,\n InitiatingProcessAccountName,\n ActionType\n| order by Timestamp desc", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f0304b53-06c6-5071-8146-c8e60841a5ea", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.216367Z", "modified": "2026-06-14T11:55:42.216367Z", "name": "Registry Enumeration for Browser Installations", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceRegistryEvents\n| where RegistryKey has \"Software\\\\Google\\\\Chrome\" or\n RegistryKey has \"Software\\\\BraveSoftware\" or\n RegistryKey has \"Software\\\\Microsoft\\\\Edge\"\n| where InitiatingProcessName has \"chromelevator.exe\" or\n InitiatingProcessName has_cs \"explorer.exe\" or\n InitiatingProcessName !in~ (\"regedit.exe\", \"powershell.exe\", \"cmd.exe\")\n| project\n Timestamp,\n DeviceName,\n RegistryKey,\n RegistryValueName,\n InitiatingProcessName,\n ActionType,\n AccountName\n| order by Timestamp desc", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--23bc99f6-2f86-5d31-9b38-a79d69e16a7d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.216515Z", "modified": "2026-06-14T11:55:42.216515Z", "name": "Process Execution - chromelevator.exe", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:Security EventCode=4688\n| search \"Process Name\"=\"*chromelevator.exe\"\n| fields\n _time,\n Computer,\n Process_Name,\n Command_Line,\n ParentProcessName,\n Account_Name\n| table _time Computer Process_Name Command_Line ParentProcessName Account_Name\n| sort - _time", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--394150d7-59f0-575c-ae35-cf991d8079bd", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.216651Z", "modified": "2026-06-14T11:55:42.216651Z", "name": "Named Pipe Creation Monitoring", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:Sysmon EventCode=23 OR EventCode=24\n| search PipeName=\"\\\\.\\pipe\\*\"\n| search Image=\"*chromelevator.exe\" OR Image=\"*explorer.exe\"\n| fields\n _time,\n Computer,\n PipeName,\n Image,\n EventCode\n| stats count by Computer, Image, PipeName\n| where count > 0", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--32190f0e-c1f4-543d-94fc-e31b61ab975f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.216781Z", "modified": "2026-06-14T11:55:42.216781Z", "name": "Browser Process Memory Operations", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:Sysmon EventCode=8\n| search TargetImage IN (chrome.exe, brave.exe, msedge.exe, firefox.exe)\n| fields\n _time,\n Computer,\n SourceImage,\n TargetImage,\n EventCode,\n GrantedAccess\n| where GrantedAccess IN (\"0x1fffff\", \"0x1f0fff\", \"0x1010\")\n| table _time Computer SourceImage TargetImage GrantedAccess\n| sort - _time", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--908c1634-dd7d-5bcc-ad29-fa7b2ae31cad", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.216915Z", "modified": "2026-06-14T11:55:42.216915Z", "name": "Browser Database Access Detection", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:Sysmon EventCode=11\n| search TargetFilename=\"*User Data*Login Data\" OR TargetFilename=\"*User Data*Cookies\" OR TargetFilename=\"*User Data*Web Data\"\n| search Image!=\"chrome.exe\" AND Image!=\"brave.exe\" AND Image!=\"msedge.exe\" AND Image!=\"firefox.exe\"\n| fields\n _time,\n Computer,\n Image,\n TargetFilename,\n User\n| stats count by Computer, Image, TargetFilename\n| where count > 0", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8bd510af-aa12-524d-b65b-6f8a6f8a993c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.217053Z", "modified": "2026-06-14T11:55:42.217053Z", "name": "Registry Activity - Browser Detection", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:Sysmon EventCode=13\n| search TargetObject IN\n (\"*\\\\Software\\\\Google\\\\Chrome\\\\*\",\n \"*\\\\Software\\\\BraveSoftware\\\\*\",\n \"*\\\\Software\\\\Microsoft\\\\Edge\\\\*\")\n| search Image=\"*chromelevator.exe\" OR Image=\"*explorer.exe\"\n| fields\n _time,\n Computer,\n Image,\n TargetObject,\n Details\n| table _time Computer Image TargetObject Details\n| sort - _time", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7b78e9f9-6389-5170-b033-1259417979ba", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.217189Z", "modified": "2026-06-14T11:55:42.217189Z", "name": "Named Pipe C2 Communication Pattern", "indicator_types": [ "malicious-activity" ], "pattern": "alert file-data any any -> any any (msg:\"Named Pipe C2 Communication Pattern\"; file_data; content:\"VERBOSE_\"; distance:0; within:10; sid:1000001; rev:1; metadata:policy balanced-ips drop, policy security-ips alert;)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fa6d0958-d28b-5ce4-923a-db6c76e5563f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.21733Z", "modified": "2026-06-14T11:55:42.21733Z", "name": "Potential Credential Exfiltration - Large Data Transfer", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp any any -> any any (msg:\"Potential Credential Exfiltration - Large Data Transfer\"; flow:to_server,established; content:\"POST\"; http_method; content:\"credentials\"; http_uri; nocase; classtype:trojan-activity; sid:1000002; rev:1;)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e520a082-d736-51d0-9db7-efff42bfd37a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.217461Z", "modified": "2026-06-14T11:55:42.217461Z", "name": "Hunting Query 1: Browser Exploitation Indicators", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:Sysmon EventCode=11\n| search TargetFilename=\"*User Data*\" AND (TargetFilename=\"*Login Data\" OR TargetFilename=\"*Cookies\" OR TargetFilename=\"*Web Data\")\n| where NOT (Image IN (chrome.exe, brave.exe, msedge.exe, firefox.exe, backup.exe, sync.exe))\n| stats count by Computer, Image, TargetFilename, User\n| where count > 5", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f3fa4248-997b-5727-8e56-db5a5cfa4c0c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.217588Z", "modified": "2026-06-14T11:55:42.217588Z", "name": "Hunting Query 2: Reflective DLL Injection Patterns", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceProcessEvents\n| where ActionType in (\"CreateRemoteThreadApi\", \"VirtualAllocExApi\", \"WriteProcessMemoryApi\", \"VirtualProtectExApi\")\n| where TargetImage has \"chrome\" or TargetImage has \"brave\" or TargetImage has \"edge\"\n| summarize EventCount = count() by DeviceName, ProcessName, TargetImage\n| where EventCount > 10", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--19f65c87-d656-559d-af9f-f3098e913c57", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.217715Z", "modified": "2026-06-14T11:55:42.217715Z", "name": "Hunting Query 3: Registry Enumeration for Browser Installations", "indicator_types": [ "malicious-activity" ], "pattern": "index=main sourcetype=WinEventLog:Sysmon EventCode=13\n| search (TargetObject=\"*\\\\Software\\\\Google\\\\Chrome\\\\*\" OR TargetObject=\"*\\\\Software\\\\BraveSoftware\\\\*\" OR TargetObject=\"*\\\\Software\\\\Microsoft\\\\Edge\\\\*\")\n| where NOT (Image IN (chrome.exe, brave.exe, msedge.exe, firefox.exe, regedit.exe, powershell.exe, cmd.exe))\n| stats count by Image, TargetObject, User\n| where count > 3", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--126212a5-f241-5350-ab7e-0a447d499535", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.217846Z", "modified": "2026-06-14T11:55:42.217846Z", "name": "Hunting Query 4: Suspicious Command-Line Arguments", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceProcessEvents\n| where ProcessCommandLine has \"--output-path\" or ProcessCommandLine has \"--verbose\" or ProcessCommandLine has \"--fingerprint\"\n| where ProcessName !in (\"PowerShell.exe\", \"cmd.exe\", \"wscript.exe\")\n| project\n Timestamp,\n DeviceName,\n ProcessName,\n ProcessCommandLine,\n InitiatingProcessName,\n AccountName\n| order by Timestamp desc", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b515ade-38da-58fc-92f0-b98ec182104c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.217977Z", "modified": "2026-06-14T11:55:42.217977Z", "name": "Arsenal237_nethost_dll_hash_detection", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_nethost_dll_hash_detection {\n meta:\n author = \"The Hunters Ledger\"\n description = \"Detects Arsenal-237 nethost.dll by known file hashes\"\n date = \"2026-01-26\"\n threat_level = \"CRITICAL\"\n malware_type = \"C2 Communication Module\"\n\n strings:\n $sha256_1 = \"158f61b6d10ea2ce78769703a2ffbba9c08f0172e37013de960d9efe5e9fde14\"\n $md5_1 = \"f91ff1bb5699524524fff0e2587af040\"\n $sha1_1 = \"622ddbacaf769aef383435162a203489c08c8468\"\n $filename = \"nethost.dll\" nocase\n\n condition:\n filename or any of ($sha256_*, $md5_*, $sha1_*)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--46756a9c-ab5a-5294-b63f-ba24f7af5513", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.218102Z", "modified": "2026-06-14T11:55:42.218102Z", "name": "Arsenal237_nethost_dll_c2_strings", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_nethost_dll_c2_strings {\n meta:\n author = \"The Hunters Ledger\"\n description = \"Detects nethost.dll by hardcoded C2 target strings\"\n date = \"2026-01-26\"\n threat_level = \"CRITICAL\"\n\n strings:\n $c2_targets = \"8.8.8.8:53127.0.0.1ntdll.dll\"\n $env_discovery = \"COMPUTERNAMEUSERNAME\"\n $rust_panic = \"runtime error\"\n $winsock_init = \"WSAStartup\"\n\n condition:\n ($c2_targets or $env_discovery) and uint16(0) == 0x5a4d // MZ header\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--18093c24-ed0c-53ec-9887-ce1c5ae2d627", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.218226Z", "modified": "2026-06-14T11:55:42.218226Z", "name": "Arsenal237_nethost_dll_powershell_templates", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_nethost_dll_powershell_templates {\n meta:\n author = \"The Hunters Ledger\"\n description = \"Detects nethost.dll by embedded PowerShell command templates\"\n date = \"2026-01-26\"\n threat_level = \"HIGH\"\n\n strings:\n $ps_service = \"Get-Service|?{$_.Status -eq ''}\"\n $ps_download = \"Invoke-WebRequest -Uri '' -OutFile ''\"\n $upload_prefix = \"pathB64:\"\n $response_keywords = \"resultmachine_idsuccess\"\n\n condition:\n 3 of them and uint16(0) == 0x5a4d\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4a1fee1b-123d-575f-8e67-87a0dec4d0ea", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.218347Z", "modified": "2026-06-14T11:55:42.218347Z", "name": "Arsenal237_nethost_dll_winsock_init", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_nethost_dll_winsock_init {\n meta:\n author = \"The Hunters Ledger\"\n description = \"Detects nethost.dll by Winsock initialization pattern\"\n date = \"2026-01-26\"\n threat_level = \"HIGH\"\n\n strings:\n $ws_startup = {C7 ?? ?? 02 02 00} // WSAStartup with version 0x202\n $wsa_socket = \"WSASocket\"\n $connect_api = \"connect\"\n $env_vars = \"COMPUTERNAME\"\n\n condition:\n all of them and uint16(0) == 0x5a4d\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c4d572bb-7c5c-535d-a830-2aaf9108295d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.218543Z", "modified": "2026-06-14T11:55:42.218543Z", "name": "Arsenal237_nethost_dll_rust_indicators", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_nethost_dll_rust_indicators {\n meta:\n author = \"The Hunters Ledger\"\n description = \"Detects nethost.dll by Rust compilation indicators\"\n date = \"2026-01-26\"\n threat_level = \"MEDIUM\"\n\n strings:\n $rust_panic = \"rust_panic\"\n $rustc_artifact = \".rustc_artifact\"\n $rust_std = \"std::panic\"\n $dlbug_assertion = \"assertion `left right` failed\"\n $file_size = {00 C0 06 00} // 440,832 bytes\n\n condition:\n 2 of them and uint16(0) == 0x5a4d\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b598537b-8c33-57ca-afc4-c58ca0cfc416", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.218742Z", "modified": "2026-06-14T11:55:42.218742Z", "name": "Arsenal-237 nethost.dll C2 Connection Attempt", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 nethost.dll C2 Connection Attempt\ndescription: Detects network connections to known Arsenal-237 C2 infrastructure\nlogsource:\n category: network_connection\n product: windows\ndetection:\n c2_connection:\n DestinationIp:\n - 8.8.8.8\n - 127.0.0.1\n DestinationPort: 53\n Protocol: tcp\n process_filter:\n Image|endswith:\n - nethost.dll\n - explorer.exe\n - svchost.exe\n - rundll32.exe\n - powershell.exe\n filter_legitimate:\n DestinationIp: 8.8.8.8\n Protocol: udp\n condition: c2_connection and process_filter and not filter_legitimate\nfalsepositives:\n - Legitimate DNS queries to Google Public DNS\n - System DNS resolution to 8.8.8.8 via UDP (legitimate; TCP is suspicious)\nlevel: critical\ntags:\n - attack.command_and_control\n - attack.t1071\n - arsenal-237\n - c2_communication", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--14dd5eeb-ade0-583b-a939-ded6b0d61f3f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.219065Z", "modified": "2026-06-14T11:55:42.219065Z", "name": "Arsenal-237 nethost.dll DLL Injection Attempt", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 nethost.dll DLL Injection Attempt\ndescription: Detects DLL injection of nethost.dll or similar network modules\nlogsource:\n category: process_creation\n product: windows\ndetection:\n dll_injection:\n CommandLine|contains:\n - 'LoadLibrary*nethost.dll'\n - 'GetProcAddress*WSASocket'\n - 'inject*nethost'\n suspicious_loader:\n ParentImage|endswith:\n - explorer.exe\n - svchost.exe\n - rundll32.exe\n - regsvcs.exe\n - regasm.exe\n suspicious_dll_path:\n Image|contains:\n - '\\Temp\\'\n - '\\AppData\\'\n - '\\Users\\Public'\n condition: (dll_injection or suspicious_loader) and suspicious_dll_path\nfalsepositives:\n - Legitimate software installation procedures\nlevel: high\ntags:\n - attack.defense_evasion\n - attack.t1055\n - arsenal-237", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bb3124ed-c81c-5b83-9345-5e4536b90260", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.219661Z", "modified": "2026-06-14T11:55:42.219661Z", "name": "Arsenal-237 nethost.dll PowerShell Template Execution", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 nethost.dll PowerShell Template Execution\ndescription: Detects PowerShell execution with known malware command templates\nlogsource:\n category: process_creation\n product: windows\ndetection:\n powershell_execution:\n Image|endswith: powershell.exe\n malware_templates:\n CommandLine|contains:\n - 'Get-Service|?{$_.Status -eq'\n - 'Invoke-WebRequest -Uri'\n - 'Select Name,Status|FT'\n suspicious_parent:\n ParentImage|endswith:\n - rundll32.exe\n - regsvcs.exe\n - explorer.exe\n - svchost.exe\n condition: powershell_execution and malware_templates and suspicious_parent\nfalsepositives:\n - Legitimate system administration scripts\nlevel: high\ntags:\n - attack.execution\n - attack.t1059.001\n - arsenal-237", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a8b364ef-60eb-50a0-b3bf-c51b96dacc69", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.219864Z", "modified": "2026-06-14T11:55:42.219864Z", "name": "Arsenal-237 System Reconnaissance - Environment Variable Discovery", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 System Reconnaissance - Environment Variable Discovery\ndescription: Detects suspicious queries for COMPUTERNAME and USERNAME environment variables\nlogsource:\n category: process_creation\n product: windows\ndetection:\n env_discovery:\n CommandLine|contains:\n - 'GetEnvironmentVariable*COMPUTERNAME'\n - 'GetEnvironmentVariable*USERNAME'\n - '%COMPUTERNAME%'\n - '%USERNAME%'\n suspicious_process:\n Image|endswith:\n - rundll32.exe\n - regsvcs.exe\n - powershell.exe\n - cmd.exe\n filter_legitimate:\n CommandLine|contains:\n - 'echo %COMPUTERNAME%'\n - 'hostname'\n - 'whoami'\n condition: env_discovery and suspicious_process and not filter_legitimate\nfalsepositives:\n - System administration scripts\n - Legitimate batch files querying environment variables\nlevel: medium\ntags:\n - attack.discovery\n - attack.t1082\n - arsenal-237", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3f9f9b89-e553-5f68-89d5-3846fce08d6a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.220072Z", "modified": "2026-06-14T11:55:42.220072Z", "name": "Arsenal-237 System Reconnaissance Commands", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 System Reconnaissance Commands\ndescription: Detects execution of reconnaissance commands (sysinfo, services, processes)\nlogsource:\n category: process_creation\n product: windows\ndetection:\n recon_commands:\n Image|endswith:\n - cmd.exe\n - powershell.exe\n CommandLine|contains:\n - 'Get-Service'\n - 'Get-Process'\n - 'systeminfo'\n - 'tasklist'\n - 'net user'\n - 'wmic os get'\n - 'ipconfig'\n suspicious_parent:\n ParentImage|endswith:\n - rundll32.exe\n - regsvcs.exe\n - explorer.exe\n - svchost.exe\n sequential_execution:\n selection: recon_commands and suspicious_parent\n condition: sequential_execution\nfalsepositives:\n - Legitimate system administration\n - Help desk scripts\nlevel: medium\ntags:\n - attack.discovery\n - attack.t1057\n - attack.t1082\n - arsenal-237", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8779ead2-6887-5854-994d-1c9b61eb9f0b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.220268Z", "modified": "2026-06-14T11:55:42.220268Z", "name": "Detect Connections to C2 Infrastructure", "indicator_types": [ "malicious-activity" ], "pattern": "sourcetype=firewall OR sourcetype=wineventlog\n(dest_ip=8.8.8.8 AND dest_port=53 AND protocol=tcp)\nOR (dest_ip=127.0.0.1 AND dest_port=53 AND protocol=tcp)\n| stats count by src_ip, dest_ip, dest_port, src_process, user\n| where count >= 1\n| sort - count", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--32005564-26fe-5bc0-9f26-c61b90090718", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.220402Z", "modified": "2026-06-14T11:55:42.220402Z", "name": "Detect nethost.dll File Creation", "indicator_types": [ "malicious-activity" ], "pattern": "sourcetype=wineventlog EventID=11\n(FileName=nethost.dll OR FileName=*nethost*)\n| stats count by host, FileName, TargetFilename, SourceIp\n| sort - count", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6945097e-dbca-56e9-bd50-7ec10183b0d1", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.220555Z", "modified": "2026-06-14T11:55:42.220555Z", "name": "Detect PowerShell Execution with Malware Templates", "indicator_types": [ "malicious-activity" ], "pattern": "sourcetype=powershell\n(CommandLine=\"*Get-Service*\" AND CommandLine=\"*Status -eq*\")\nOR (CommandLine=\"*Invoke-WebRequest*\" AND CommandLine=\"*-OutFile*\")\n| stats count by host, CommandLine, user, process_id\n| sort - count", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a53f2a3b-1256-57bd-b129-0c3c696c4310", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.220683Z", "modified": "2026-06-14T11:55:42.220683Z", "name": "Detect Suspicious DLL Loading", "indicator_types": [ "malicious-activity" ], "pattern": "sourcetype=wineventlog EventID=7 OR EventCode=7\n(ImageLoaded=\"*nethost.dll\" OR ImageLoaded=\"*\\\\Temp\\\\*dll\")\n| stats count by host, Image, ImageLoaded, SourceIp\n| sort - count", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e790e1c-325e-54cf-b708-a3b8e77af76b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.220811Z", "modified": "2026-06-14T11:55:42.220811Z", "name": "Detect Process Injection from Suspicious Parents", "indicator_types": [ "malicious-activity" ], "pattern": "sourcetype=wineventlog EventCode=1\n(ParentImage=*rundll32.exe OR ParentImage=*regsvcs.exe OR ParentImage=*explorer.exe)\n(Image=*powershell.exe OR Image=*cmd.exe)\n| stats count by host, ParentImage, Image, CommandLine\n| where count >= 2\n| sort - count", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--36f77a65-7949-56e2-b38d-39b93c9f3882", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.220942Z", "modified": "2026-06-14T11:55:42.220942Z", "name": "Detect Reconnaissance Command Sequence", "indicator_types": [ "malicious-activity" ], "pattern": "sourcetype=wineventlog EventCode=1\n(Image=*cmd.exe OR Image=*powershell.exe)\n(CommandLine=*systeminfo* OR CommandLine=*Get-Service* OR CommandLine=*Get-Process* OR CommandLine=*net user*)\n| dedup host, user, CommandLine\n| stats count by host, user, CommandLine\n| where count >= 3\n| sort - count", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--89aa101d-05c3-5d0b-8889-729adc26dc89", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.221073Z", "modified": "2026-06-14T11:55:42.221073Z", "name": "Network Detection - Connections to C2 IPs", "indicator_types": [ "malicious-activity" ], "pattern": "NetworkCommunication\n| where RemoteIP in (\"8.8.8.8\", \"127.0.0.1\") and RemotePort == 53\n| extend ThreatIndicator = \"Arsenal-237-nethost-C2\"\n| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ThreatIndicator\n| order by TimeGenerated desc", "pattern_type": "kql", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--328213e6-a197-5a31-b348-37507eedf440", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.221203Z", "modified": "2026-06-14T11:55:42.221203Z", "name": "Process Execution - Suspicious Parent/Child Relationship", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceProcessEvents\n| where (InitiatingProcessFileName has_any (\"rundll32.exe\", \"regsvcs.exe\", \"explorer.exe\"))\n and (FileName has_any (\"powershell.exe\", \"cmd.exe\"))\n| extend CommandLineIndicator = \"T1055-ProcessInjection\"\n| project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, CommandLine, CommandLineIndicator\n| order by TimeGenerated desc", "pattern_type": "kql", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9a37c126-1663-5e9b-a8a7-634653957456", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.221345Z", "modified": "2026-06-14T11:55:42.221345Z", "name": "File Creation - nethost.dll Detection", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceFileEvents\n| where FileName == \"nethost.dll\" or FileName endswith \"nethost.dll\"\n| extend ThreatIndicator = \"Arsenal-237-nethost-DLL\"\n| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, ThreatIndicator\n| order by TimeGenerated desc", "pattern_type": "kql", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cc30d5fd-d372-5db1-b0b6-3d3ebce74a1e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.221474Z", "modified": "2026-06-14T11:55:42.221474Z", "name": "PowerShell Execution - Malware Command Templates", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceProcessEvents\n| where FileName == \"powershell.exe\"\n| where CommandLine contains \"Get-Service\" and CommandLine contains \"Status -eq\"\n or CommandLine contains \"Invoke-WebRequest\" and CommandLine contains \"-OutFile\"\n| extend ThreatIndicator = \"Arsenal-237-PowerShell-Template\"\n| project TimeGenerated, DeviceName, CommandLine, ProcessId, InitiatingProcessFileName, ThreatIndicator\n| order by TimeGenerated desc", "pattern_type": "kql", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8ceae528-52ca-5932-9e3a-91cd7c03fa26", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.221606Z", "modified": "2026-06-14T11:55:42.221606Z", "name": "Registry Persistence Check", "indicator_types": [ "malicious-activity" ], "pattern": "DeviceRegistryEvents\n| where RegistryKey has_any (\n @\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\",\n @\"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\",\n @\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\n )\n| where RegistryValueData contains \"nethost\" or RegistryValueData contains \"cmd\"\n| extend ThreatIndicator = \"Arsenal-237-Persistence\"\n| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, ThreatIndicator\n| order by TimeGenerated desc", "pattern_type": "kql", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bc94a404-15e0-5996-a7f9-0f8157f94516", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.221734Z", "modified": "2026-06-14T11:55:42.221734Z", "name": "Arsenal-237 nethost.dll C2 Connection Attempt to 8.8.8.8:53", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp any any -> 8.8.8.8 53 (\n msg:\"Arsenal-237 nethost.dll C2 Connection Attempt to 8.8.8.8:53\";\n flow:established;\n content:\"GET\"; http_method;\n sid:1001001; rev:1;\n classtype:trojan-activity;\n metadata: policy balanced-ips drop, policy security-ips alert;\n)\n\nalert tcp any any -> 127.0.0.1 53 (\n msg:\"Arsenal-237 nethost.dll C2 Connection Attempt to localhost:53\";\n flow:established;\n sid:1001002; rev:1;\n classtype:trojan-activity;\n metadata: policy balanced-ips drop, policy security-ips alert;\n)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2c7a10e3-2ad4-54e3-afd0-d42d6fc62850", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.221863Z", "modified": "2026-06-14T11:55:42.221863Z", "name": "Suspicious DNS-over-TCP from suspicious process", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp any any -> any 53 (\n msg:\"Suspicious DNS-over-TCP from suspicious process\";\n flow:established;\n content:\"|00|\"; depth:1;\n pcre:\"/^[^\\x00-\\x09\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]*$/\";\n sid:1001003; rev:1;\n classtype:trojan-activity;\n)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--53081acd-e6f6-53bc-85ad-ab1340b69af2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.221994Z", "modified": "2026-06-14T11:55:42.221994Z", "name": "Arsenal237_Rootkit_DLL_Comprehensive", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_Rootkit_DLL_Comprehensive\n{\n meta:\n description = \"Detects Arsenal-237 rootkit.dll defense evasion framework\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n reference = \"Arsenal-237 Malware Toolkit Analysis\"\n hash_md5 = \"674795d4d4ec09372904704633ea0d86\"\n hash_sha1 = \"483feeb4e391ae64a7d54637ea71d43a17d83c71\"\n hash_sha256 = \"e71240f26af1052172b5864cdddb78fcb990d7a96d53b7d22d19f5dfccdf9012\"\n severity = \"critical\"\n mitre_attack = \"T1068, T1562.001, T1055.001, T1564.001\"\n\n strings:\n // Rust runtime signatures\n $rust_panic = \"panicked at\" ascii\n $rust_runtime = \"std::panicking::rust_panic\" ascii\n $rust_thread = \"std::thread::Builder\" ascii\n\n // Embedded Baidu driver indicators\n $baidu_driver_1 = \"BdApiUtil64.sys\" wide ascii\n $baidu_driver_2 = \"Baidu\" wide ascii nocase\n\n // Security product process targets (Microsoft Defender)\n $defender_1 = \"MsMpEng.exe\" wide ascii nocase\n $defender_2 = \"MpCmdRun.exe\" wide ascii nocase\n $defender_3 = \"SecurityHealthService.exe\" wide ascii nocase\n $defender_4 = \"WdNisDrv.sys\" wide ascii nocase\n $defender_5 = \"WdFilter.sys\" wide ascii nocase\n\n // CrowdStrike targets\n $crowdstrike_1 = \"CSFalconService.exe\" wide ascii nocase\n $crowdstrike_2 = \"CSFalconContainer.exe\" wide ascii nocase\n $crowdstrike_3 = \"csagent.sys\" wide ascii nocase\n\n // Third-party AV targets\n $av_eset = \"ekrn.exe\" wide ascii nocase\n $av_kaspersky = \"avp.exe\" wide ascii nocase\n $av_malwarebytes = \"MBAMService.exe\" wide ascii nocase\n $av_symantec = \"ccSvcHst.exe\" wide ascii nocase\n $av_webroot = \"WRSA.exe\" wide ascii nocase\n $av_sophos = \"SophosHealth.exe\" wide ascii nocase\n $av_cylance = \"CylanceSvc.exe\" wide ascii nocase\n $av_sentinel = \"SentinelAgent.exe\" wide ascii nocase\n\n // Analysis tool targets\n $analysis_1 = \"procexp.exe\" wide ascii nocase\n $analysis_2 = \"procmon.exe\" wide ascii nocase\n $analysis_3 = \"Wireshark.exe\" wide ascii nocase\n $analysis_4 = \"x64dbg.exe\" wide ascii nocase\n $analysis_5 = \"volatility.exe\" wide ascii nocase\n\n // Core defense evasion functions (hex patterns)\n $func_dispatcher = { 48 83 EC 28 48 8B ?? 48 8B ?? 48 8B ?? 48 85 ?? 74 ?? FF D? }\n $func_thread_create = { 48 89 5C 24 ?? 48 89 74 24 ?? 57 48 83 EC 20 48 8B D9 }\n\n // API imports for defense evasion\n $api_terminate = \"ZwTerminateProcess\" ascii\n $api_openprocess = \"OpenProcess\" ascii\n $api_createthread = \"CreateThread\" ascii\n $api_loaddriver = \"ZwLoadDriver\" ascii\n\n condition:\n uint16(0) == 0x5A4D and\n filesize < 500KB and\n (\n // Strong Rust + BYOVD signature\n (2 of ($rust_*) and 1 of ($baidu_*)) or\n\n // Multiple security product targets\n (6 of ($defender_*, $crowdstrike_*, $av_*)) or\n\n // Analysis tool targeting\n (3 of ($analysis_*)) or\n\n // Function patterns + API imports\n (1 of ($func_*) and 2 of ($api_*)) or\n\n // Comprehensive detection: Rust + targets + functions\n (1 of ($rust_*) and 3 of ($defender_*, $crowdstrike_*, $av_*) and 1 of ($func_*))\n )\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cecfb8f3-50ba-5154-b435-dc89085bf2d9", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.222124Z", "modified": "2026-06-14T11:55:42.222124Z", "name": "Arsenal237_BYOVD_Baidu_Driver", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_BYOVD_Baidu_Driver\n{\n meta:\n description = \"Detects embedded BdApiUtil64.sys driver for BYOVD attacks\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n reference = \"Arsenal-237 BYOVD Technique\"\n severity = \"critical\"\n mitre_attack = \"T1068\"\n\n strings:\n $driver_name_1 = \"BdApiUtil64.sys\" wide ascii\n $driver_name_2 = \"BdApiUtil\" wide ascii\n $baidu_company = \"Baidu\" wide ascii nocase\n $driver_signature = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF }\n\n // Driver service registry paths\n $reg_service_1 = \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\BdApiUtil\" wide\n $reg_service_2 = \"\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Services\" wide\n\n // IOCTL codes for driver communication\n $ioctl_pattern = { 44 ?? ?? ?? ?? 00 22 00 00 }\n\n condition:\n uint16(0) == 0x5A4D and\n (\n (2 of ($driver_name_*) and $baidu_company) or\n ($driver_signature and 1 of ($driver_name_*)) or\n (1 of ($reg_service_*) and 1 of ($driver_name_*)) or\n ($ioctl_pattern and 1 of ($driver_name_*))\n )\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8fecc73a-760f-5f84-8164-1a447bdb131e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.222247Z", "modified": "2026-06-14T11:55:42.222247Z", "name": "Arsenal237_Security_Product_Killer", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_Security_Product_Killer\n{\n meta:\n description = \"Detects mass security product termination behavior\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n reference = \"Arsenal-237 Defense Evasion\"\n severity = \"critical\"\n mitre_attack = \"T1562.001, T1089\"\n\n strings:\n // Microsoft Defender complete process list\n $def_1 = \"MsMpEng.exe\" wide ascii nocase\n $def_2 = \"MpCmdRun.exe\" wide ascii nocase\n $def_3 = \"NisSrv.exe\" wide ascii nocase\n $def_4 = \"SecurityHealthService.exe\" wide ascii nocase\n $def_5 = \"smartscreen.exe\" wide ascii nocase\n $def_6 = \"SgrmBroker.exe\" wide ascii nocase\n $def_7 = \"MpSigStub.exe\" wide ascii nocase\n $def_8 = \"wscsvc.exe\" wide ascii nocase\n $def_9 = \"WdNisDrv.sys\" wide ascii nocase\n $def_10 = \"WdFilter.sys\" wide ascii nocase\n\n // CrowdStrike complete process list\n $cs_1 = \"CSFalconService.exe\" wide ascii nocase\n $cs_2 = \"CSFalconContainer.exe\" wide ascii nocase\n $cs_3 = \"CSAgent.exe\" wide ascii nocase\n $cs_4 = \"csagent.sys\" wide ascii nocase\n $cs_5 = \"CSDeviceControl.exe\" wide ascii nocase\n $cs_6 = \"CSNamedPipeProxy.exe\" wide ascii nocase\n\n // Third-party AV products\n $av_1 = \"ekrn.exe\" wide ascii nocase // ESET\n $av_2 = \"avp.exe\" wide ascii nocase // Kaspersky\n $av_3 = \"MBAMService.exe\" wide ascii nocase // Malwarebytes\n $av_4 = \"ccSvcHst.exe\" wide ascii nocase // Symantec\n $av_5 = \"WRSA.exe\" wide ascii nocase // Webroot\n $av_6 = \"SophosHealth.exe\" wide ascii nocase // Sophos\n $av_7 = \"CylanceSvc.exe\" wide ascii nocase // Cylance\n $av_8 = \"SentinelAgent.exe\" wide ascii nocase // Sentinel One\n\n // Termination APIs\n $api_1 = \"ZwTerminateProcess\" ascii\n $api_2 = \"TerminateProcess\" ascii\n $api_3 = \"NtTerminateProcess\" ascii\n\n condition:\n uint16(0) == 0x5A4D and\n (\n // High confidence: Multiple vendor targets\n (5 of ($def_*) and 3 of ($cs_*) and 3 of ($av_*)) or\n\n // Medium confidence: One vendor complete + APIs\n ((8 of ($def_*) or 4 of ($cs_*)) and 1 of ($api_*)) or\n\n // Broad targeting across vendors\n (3 of ($def_*) and 2 of ($cs_*) and 4 of ($av_*) and 1 of ($api_*))\n )\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f13a9584-2519-54cb-8d4d-c5cea0ac4740", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.222372Z", "modified": "2026-06-14T11:55:42.222372Z", "name": "Arsenal237_Rust_Compiled_Malware", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_Rust_Compiled_Malware\n{\n meta:\n description = \"Detects Rust-compiled malware from Arsenal-237 toolkit\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n reference = \"Arsenal-237 Rust Compilation Pattern\"\n severity = \"high\"\n\n strings:\n $rust_panic = \"panicked at\" ascii\n $rust_runtime_1 = \"std::panicking::rust_panic\" ascii\n $rust_runtime_2 = \"std::panicking::begin_panic\" ascii\n $rust_thread_1 = \"std::thread::Builder\" ascii\n $rust_thread_2 = \"std::thread::spawn\" ascii\n $rust_alloc = \"alloc::alloc::Global\" ascii\n $rust_vec = \"alloc::vec::Vec\" ascii\n\n // Cargo/rustc metadata\n $cargo_metadata = \".cargo\" ascii\n $rustc_version = \"rustc\" ascii\n\n // Suspicious combinations\n $suspicious_1 = \"OpenProcess\" ascii\n $suspicious_2 = \"TerminateProcess\" ascii\n $suspicious_3 = \"CreateRemoteThread\" ascii\n $suspicious_4 = \"ZwLoadDriver\" ascii\n\n condition:\n uint16(0) == 0x5A4D and\n (\n // Rust signatures + suspicious APIs\n (3 of ($rust_*) and 2 of ($suspicious_*)) or\n\n // Strong Rust signature\n (5 of ($rust_*)) or\n\n // Cargo metadata + malicious APIs\n ($cargo_metadata and $rustc_version and 2 of ($suspicious_*))\n )\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9e89b181-3f7f-5162-8841-ba80f0ee4793", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.222496Z", "modified": "2026-06-14T11:55:42.222496Z", "name": "Arsenal-237 BdApiUtil64.sys BYOVD Driver Loading", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 BdApiUtil64.sys BYOVD Driver Loading\nid: a8c9d4e1-2f3b-4c5d-8e9f-1a2b3c4d5e6f\nstatus: experimental\ndescription: Detects loading of BdApiUtil64.sys vulnerable driver for BYOVD attacks\nreferences:\n - Arsenal-237 Malware Toolkit Analysis\nauthor: The Hunters Ledger\ndate: 2026-01-26\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1068\nlogsource:\n product: windows\n category: driver_load\ndetection:\n selection_driver_name:\n ImageLoaded|contains:\n - 'BdApiUtil64.sys'\n - 'BdApiUtil.sys'\n selection_driver_hash:\n Hashes|contains:\n - 'MD5=f72386e6b0e87a3245e0d6e4e4c5a1a0'\n - 'SHA1=d8e1c6d0c1c0d6e8c9e0d6e0c1c0d6e8c9e0d6e0'\n - 'SHA256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\n selection_sysmon:\n EventID: 6\n condition: selection_sysmon and (selection_driver_name or selection_driver_hash)\nfalsepositives:\n - Legitimate Baidu software installations (rare in enterprise environments)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9c3cbd5f-c7a0-5343-926e-5fd8a86bbe66", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.222624Z", "modified": "2026-06-14T11:55:42.222624Z", "name": "Arsenal-237 Mass Security Product Termination", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 Mass Security Product Termination\nid: b9d1e2f3-4a5b-6c7d-8e9f-0a1b2c3d4e5f\nstatus: experimental\ndescription: Detects mass termination of security products indicating Arsenal-237 rootkit.dll activity\nreferences:\n - Arsenal-237 Defense Evasion Framework\nauthor: The Hunters Ledger\ndate: 2026-01-26\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1089\nlogsource:\n product: windows\n category: process_termination\ndetection:\n selection_defender:\n TargetImage|endswith:\n - '\\MsMpEng.exe'\n - '\\MpCmdRun.exe'\n - '\\NisSrv.exe'\n - '\\SecurityHealthService.exe'\n selection_crowdstrike:\n TargetImage|endswith:\n - '\\CSFalconService.exe'\n - '\\CSFalconContainer.exe'\n - '\\CSAgent.exe'\n selection_thirdparty:\n TargetImage|endswith:\n - '\\ekrn.exe'\n - '\\avp.exe'\n - '\\MBAMService.exe'\n - '\\ccSvcHst.exe'\n - '\\SophosHealth.exe'\n timeframe: 60s\n condition: (selection_defender | count(gte 3) or selection_crowdstrike | count(gte 2) or selection_thirdparty | count(gte 3)) within timeframe\nfalsepositives:\n - Legitimate security product updates or uninstallations\n - System administrator maintenance activities\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9636f6ad-7d0a-5745-8061-56ccd679c8ae", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.222758Z", "modified": "2026-06-14T11:55:42.222758Z", "name": "Arsenal-237 rootkit.dll File System Stealth Operations", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 rootkit.dll File System Stealth Operations\nid: c1d2e3f4-5a6b-7c8d-9e0f-1a2b3c4d5e6f\nstatus: experimental\ndescription: Detects Unicode-based file hiding operations from rootkit.dll\nreferences:\n - Arsenal-237 File System Stealth Technique\nauthor: The Hunters Ledger\ndate: 2026-01-26\ntags:\n - attack.defense_evasion\n - attack.t1564.001\nlogsource:\n product: windows\n category: file_event\ndetection:\n selection_dll:\n Image|endswith: '\\rootkit.dll'\n selection_operations:\n EventID:\n - 11 # File created\n - 23 # File deleted\n - 26 # File modified\n selection_unicode:\n TargetFilename|contains:\n - '\\u'\n - '%u'\n - '\\x'\n condition: selection_dll and selection_operations and selection_unicode\nfalsepositives:\n - Legitimate applications using Unicode file names\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8b063559-7a07-5838-bd15-0844901fed3a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.222887Z", "modified": "2026-06-14T11:55:42.222887Z", "name": "Arsenal-237 rootkit.dll API Hooking Activity", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 rootkit.dll API Hooking Activity\nid: d2e3f4a5-6b7c-8d9e-0f1a-2b3c4d5e6f7a\nstatus: experimental\ndescription: Detects API hooking operations from rootkit.dll via DLL injection\nreferences:\n - Arsenal-237 API Hooking Technique\nauthor: The Hunters Ledger\ndate: 2026-01-26\ntags:\n - attack.defense_evasion\n - attack.privilege_escalation\n - attack.t1055.001\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection_source:\n SourceImage|endswith: '\\rootkit.dll'\n selection_target_security:\n TargetImage|endswith:\n - '\\MsMpEng.exe'\n - '\\CSFalconService.exe'\n - '\\ekrn.exe'\n - '\\avp.exe'\n selection_access:\n GrantedAccess:\n - '0x1F0FFF' # PROCESS_ALL_ACCESS\n - '0x1FFFFF' # PROCESS_ALL_ACCESS alternate\n - '0x1010' # PROCESS_VM_WRITE | PROCESS_VM_OPERATION\n selection_sysmon:\n EventID: 10\n condition: selection_sysmon and selection_source and selection_target_security and selection_access\nfalsepositives:\n - Security software cross-process monitoring\n - Legitimate debugging activities\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--32a84290-5610-525d-9255-ef5cead2df9c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.223014Z", "modified": "2026-06-14T11:55:42.223014Z", "name": "Arsenal-237 rootkit.dll PowerShell Integration", "indicator_types": [ "malicious-activity" ], "pattern": "title: Arsenal-237 rootkit.dll PowerShell Integration\nid: e3f4a5b6-7c8d-9e0f-1a2b-3c4d5e6f7a8b\nstatus: experimental\ndescription: Detects PowerShell execution initiated from rootkit.dll context\nreferences:\n - Arsenal-237 PowerShell Integration\nauthor: The Hunters Ledger\ndate: 2026-01-26\ntags:\n - attack.execution\n - attack.defense_evasion\n - attack.t1059.001\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_powershell:\n Image|endswith:\n - '\\powershell.exe'\n - '\\pwsh.exe'\n selection_parent:\n ParentCommandLine|contains: 'rootkit.dll'\n selection_suspicious:\n CommandLine|contains:\n - '-enc'\n - '-EncodedCommand'\n - '-w hidden'\n - '-WindowStyle Hidden'\n - 'bypass'\n condition: selection_powershell and (selection_parent or selection_suspicious)\nfalsepositives:\n - Legitimate PowerShell scripts executed by system processes\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f2c6825e-15e2-5b80-8572-6e767639d718", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.223144Z", "modified": "2026-06-14T11:55:42.223144Z", "name": "CrowdStrike Falcon Query", "indicator_types": [ "malicious-activity" ], "pattern": "// Arsenal-237 rootkit.dll BYOVD and Defense Evasion Detection\nevent_simpleName IN (\"DriverLoad\", \"ProcessRollup2\", \"ProcessTerminate\")\n| where (\n // BYOVD driver loading\n (event_simpleName=\"DriverLoad\" AND ImageFileName CONTAINS \"BdApiUtil64.sys\") OR\n\n // Mass security process termination\n (event_simpleName=\"ProcessTerminate\" AND\n FileName IN (\"MsMpEng.exe\", \"CSFalconService.exe\", \"CSAgent.exe\", \"ekrn.exe\",\n \"avp.exe\", \"MBAMService.exe\", \"ccSvcHst.exe\", \"SophosHealth.exe\",\n \"CylanceSvc.exe\", \"SentinelAgent.exe\")) OR\n\n // rootkit.dll process creation or loading\n (event_simpleName=\"ProcessRollup2\" AND\n (CommandLine CONTAINS \"rootkit.dll\" OR ImageFileName CONTAINS \"rootkit.dll\"))\n)\n| stats count() by event_simpleName, aid, ComputerName, UserName, FileName, ImageFileName\n| where count > 3 // Multiple terminations within query timeframe\n| sort -count", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b60ca61c-69f8-5934-9f89-6d46c560e78f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.223284Z", "modified": "2026-06-14T11:55:42.223284Z", "name": "Microsoft Defender for Endpoint (Advanced Hunting)", "indicator_types": [ "malicious-activity" ], "pattern": "// Arsenal-237 rootkit.dll Multi-Vector Detection\nunion\n(\n // BYOVD driver loading\n DeviceEvents\n | where ActionType == \"DriverLoad\"\n | where FileName =~ \"BdApiUtil64.sys\" or InitiatingProcessFileName =~ \"BdApiUtil64.sys\"\n | project Timestamp, DeviceName, ActionType, FileName, SHA256, InitiatingProcessFileName\n),\n(\n // Mass security product termination\n DeviceProcessEvents\n | where ActionType == \"ProcessTerminated\"\n | where FileName in~ (\"MsMpEng.exe\", \"MpCmdRun.exe\", \"NisSrv.exe\", \"SecurityHealthService.exe\",\n \"CSFalconService.exe\", \"CSAgent.exe\", \"ekrn.exe\", \"avp.exe\",\n \"MBAMService.exe\", \"SophosHealth.exe\", \"CylanceSvc.exe\")\n | summarize TerminatedProcesses=make_set(FileName), TerminationCount=count()\n by DeviceName, InitiatingProcessFileName, bin(Timestamp, 1m)\n | where TerminationCount >= 3\n),\n(\n // rootkit.dll file operations\n DeviceFileEvents\n | where FileName =~ \"rootkit.dll\" or InitiatingProcessFileName =~ \"rootkit.dll\"\n | where ActionType in (\"FileCreated\", \"FileModified\", \"FileRenamed\")\n | project Timestamp, DeviceName, ActionType, FolderPath, FileName, SHA256\n),\n(\n // API hooking indicators\n DeviceEvents\n | where ActionType == \"CreateRemoteThreadApiCall\"\n | where InitiatingProcessFileName contains \"rootkit.dll\"\n | project Timestamp, DeviceName, ActionType, TargetProcessName, InitiatingProcessFileName\n)\n| sort by Timestamp desc", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3aa1fe6f-6d18-5f7f-b8c4-2ee6fc01b936", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.223418Z", "modified": "2026-06-14T11:55:42.223418Z", "name": "Elastic Security (EQL Query)", "indicator_types": [ "malicious-activity" ], "pattern": "// Arsenal-237 rootkit.dll Detection Sequence\nsequence by host.id with maxspan=5m\n[\n // Step 1: Driver loading\n driver where driver.name == \"BdApiUtil64.sys\" or\n file.name == \"BdApiUtil64.sys\"\n]\n[\n // Step 2: Security process termination\n process where event.action == \"termination\" and\n process.name in (\"MsMpEng.exe\", \"CSFalconService.exe\", \"ekrn.exe\",\n \"avp.exe\", \"MBAMService.exe\", \"SophosHealth.exe\")\n]\n[\n // Step 3: File hiding or API hooking\n any where (\n (file.name contains \"rootkit.dll\" and event.action in (\"creation\", \"modification\")) or\n (process.thread.Ext.start_address_module contains \"rootkit.dll\")\n )\n]", "pattern_type": "eql", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--445d8f98-12ee-5482-918a-518c0fddcfb9", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.223544Z", "modified": "2026-06-14T11:55:42.223544Z", "name": "Splunk SPL Query", "indicator_types": [ "malicious-activity" ], "pattern": "(index=windows sourcetype=WinEventLog:Sysmon)\n(\n (EventCode=6 ImageLoaded=\"*BdApiUtil64.sys*\") OR\n (EventCode=1 Image=\"*rootkit.dll*\" OR CommandLine=\"*rootkit.dll*\") OR\n (EventCode=8 SourceImage=\"*rootkit.dll*\" TargetImage IN (\"*MsMpEng.exe*\", \"*CSFalconService.exe*\", \"*ekrn.exe*\", \"*avp.exe*\")) OR\n (EventCode=10 SourceImage=\"*rootkit.dll*\" GrantedAccess IN (\"0x1F0FFF\", \"0x1FFFFF\", \"0x1010\")) OR\n (EventCode=11 Image=\"*rootkit.dll*\" TargetFilename=\"*\\\\u*\")\n)\n| stats count by EventCode, Computer, Image, TargetImage, ImageLoaded, User\n| where count > 2\n| sort -count", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3a11751c-f7d1-573d-ab60-48fa1c46a037", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.223671Z", "modified": "2026-06-14T11:55:42.223671Z", "name": "Microsoft Sentinel (KQL)", "indicator_types": [ "malicious-activity" ], "pattern": "// Arsenal-237 rootkit.dll Comprehensive Detection\nlet BYOVDDriverLoad =\n DeviceEvents\n | where ActionType == \"DriverLoad\"\n | where FileName has \"BdApiUtil64.sys\"\n | project TimeGenerated, DeviceName, ActionType, FileName, SHA256;\nlet SecurityProcessTermination =\n DeviceProcessEvents\n | where ActionType == \"ProcessTerminated\"\n | where FileName in~ (\"MsMpEng.exe\", \"CSFalconService.exe\", \"ekrn.exe\", \"avp.exe\",\n \"MBAMService.exe\", \"SophosHealth.exe\", \"CylanceSvc.exe\", \"SentinelAgent.exe\")\n | summarize TerminatedProcesses=make_list(FileName), Count=count()\n by DeviceName, InitiatingProcessFileName, bin(TimeGenerated, 1m)\n | where Count >= 3;\nlet RootkitDLLActivity =\n DeviceFileEvents\n | where FileName == \"rootkit.dll\" or InitiatingProcessFileName == \"rootkit.dll\"\n | project TimeGenerated, DeviceName, ActionType, FolderPath, FileName;\nlet APIHooking =\n DeviceEvents\n | where ActionType == \"CreateRemoteThreadApiCall\"\n | where InitiatingProcessFileName contains \"rootkit.dll\"\n | project TimeGenerated, DeviceName, TargetProcessName, InitiatingProcessFileName;\nunion BYOVDDriverLoad, SecurityProcessTermination, RootkitDLLActivity, APIHooking\n| summarize DetectionEvents=make_set(ActionType), TotalDetections=count()\n by DeviceName, bin(TimeGenerated, 5m)\n| where TotalDetections >= 2\n| extend Severity = case(\n TotalDetections >= 4, \"Critical\",\n TotalDetections >= 3, \"High\",\n \"Medium\"\n)\n| project TimeGenerated, DeviceName, DetectionEvents, TotalDetections, Severity\n| sort by TimeGenerated desc", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--278dab87-a2f7-544c-8883-a74eb0018ca5", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.223796Z", "modified": "2026-06-14T11:55:42.223796Z", "name": "Splunk Enterprise Security", "indicator_types": [ "malicious-activity" ], "pattern": "index=windows (sourcetype=WinEventLog:Sysmon OR sourcetype=WinEventLog:Security)\n(\n (EventCode=6 ImageLoaded=\"*BdApiUtil64.sys*\") OR\n (EventCode=1 (Image=\"*rootkit.dll*\" OR CommandLine=\"*rootkit.dll*\")) OR\n (EventCode=8 SourceImage=\"*rootkit.dll*\") OR\n (EventCode=10 SourceImage=\"*rootkit.dll*\" GrantedAccess IN (\"0x1F0FFF\", \"0x1FFFFF\")) OR\n (EventCode=4688 NewProcessName IN (\"*MsMpEng.exe*\", \"*CSFalconService.exe*\", \"*ekrn.exe*\"))\n)\n| eval detection_type=case(\n EventCode=6, \"BYOVD_DriverLoad\",\n EventCode=1, \"Rootkit_ProcessCreation\",\n EventCode=8, \"RemoteThread_Injection\",\n EventCode=10, \"ProcessAccess_Hooking\",\n EventCode=4688, \"SecurityProcess_Activity\",\n 1=1, \"Unknown\"\n)\n| stats count by detection_type, Computer, User, _time\n| where count > 2\n| eval risk_score=case(\n detection_type=\"BYOVD_DriverLoad\", 100,\n detection_type=\"RemoteThread_Injection\", 95,\n detection_type=\"ProcessAccess_Hooking\", 90,\n detection_type=\"SecurityProcess_Activity\", 85,\n detection_type=\"Rootkit_ProcessCreation\", 95,\n 1=1, 50\n)\n| where risk_score >= 85\n| sort -risk_score, -count\n| table _time, Computer, User, detection_type, count, risk_score", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--107713b6-83c7-58d4-829f-ef55eba55288", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.22392Z", "modified": "2026-06-14T11:55:42.22392Z", "name": "BYOVD Driver Deployment Timeline", "indicator_types": [ "malicious-activity" ], "pattern": "// Microsoft Defender Advanced Hunting\nDeviceFileEvents\n| where FileName =~ \"BdApiUtil64.sys\"\n| project Timestamp, DeviceName, ActionType, FolderPath, SHA256, InitiatingProcessFileName\n| join kind=inner (\n DeviceEvents\n | where ActionType == \"DriverLoad\"\n | where FileName =~ \"BdApiUtil64.sys\"\n) on DeviceName\n| join kind=inner (\n DeviceProcessEvents\n | where ActionType == \"ProcessTerminated\"\n | where FileName in~ (\"MsMpEng.exe\", \"CSFalconService.exe\", \"ekrn.exe\")\n) on DeviceName\n| project Timestamp, DeviceName, AttackPhase=strcat(\"File Drop -> Driver Load -> Process Kill\"),\n InitiatingProcessFileName, SHA256\n| sort by Timestamp asc", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1162f4ec-8e16-5181-aa12-a60d14362f97", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.224046Z", "modified": "2026-06-14T11:55:42.224046Z", "name": "Rust-Compiled Malware Discovery", "indicator_types": [ "malicious-activity" ], "pattern": "// Search for Rust runtime signatures in executables\nDeviceFileEvents\n| where ActionType in (\"FileCreated\", \"FileModified\")\n| where FileName endswith \".exe\" or FileName endswith \".dll\"\n| join kind=inner (\n DeviceProcessEvents\n | where ProcessCommandLine contains \"rust\" or InitiatingProcessCommandLine contains \"std::panicking\"\n) on DeviceName, FileName\n| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine\n| distinct DeviceName, FileName, SHA256", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--753c1993-ccd9-5e61-9684-dec028f4f555", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.224171Z", "modified": "2026-06-14T11:55:42.224171Z", "name": "Security Product Tampering Timeline", "indicator_types": [ "malicious-activity" ], "pattern": "// Track security process terminations in temporal sequence\nDeviceProcessEvents\n| where ActionType == \"ProcessTerminated\"\n| where FileName in~ (\"MsMpEng.exe\", \"MpCmdRun.exe\", \"NisSrv.exe\", \"SecurityHealthService.exe\",\n \"CSFalconService.exe\", \"CSAgent.exe\", \"ekrn.exe\", \"avp.exe\",\n \"MBAMService.exe\", \"SophosHealth.exe\", \"CylanceSvc.exe\", \"SentinelAgent.exe\")\n| summarize TerminationEvents=make_list(FileName), FirstTermination=min(Timestamp),\n LastTermination=max(Timestamp), TerminationCount=count()\n by DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256\n| where TerminationCount >= 3\n| extend AttackDuration = datetime_diff('second', LastTermination, FirstTermination)\n| project DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256, TerminationEvents,\n TerminationCount, FirstTermination, LastTermination, AttackDuration\n| sort by TerminationCount desc, AttackDuration asc", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d66bfc6f-9c78-537d-a649-974d5bf698e2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.224339Z", "modified": "2026-06-14T11:55:42.224339Z", "name": "File System Stealth Activity", "indicator_types": [ "malicious-activity" ], "pattern": "// Identify suspicious Unicode file operations\nDeviceFileEvents\n| where ActionType in (\"FileCreated\", \"FileRenamed\", \"FileDeleted\")\n| where FolderPath contains \"\\\\u\" or FolderPath contains \"%u\" or FileName contains \"\\\\x\"\n| where InitiatingProcessFileName contains \"rootkit.dll\" or ProcessVersionInfoOriginalFileName contains \"rootkit\"\n| summarize FileOperations=make_set(ActionType), AffectedFiles=make_set(FileName), Count=count()\n by DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256, bin(Timestamp, 1h)\n| where Count >= 5\n| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256,\n FileOperations, AffectedFiles, Count\n| sort by Count desc", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8db18e65-c1bc-5cbf-aea1-cc2f06e6dbd0", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.224554Z", "modified": "2026-06-14T11:55:42.224554Z", "name": "PowerShell Integration Analysis", "indicator_types": [ "malicious-activity" ], "pattern": "// Track PowerShell execution from DLL context\nDeviceProcessEvents\n| where FileName in~ (\"powershell.exe\", \"pwsh.exe\")\n| where ProcessCommandLine contains \"-enc\" or ProcessCommandLine contains \"-EncodedCommand\"\n or ProcessCommandLine contains \"bypass\"\n| where InitiatingProcessCommandLine contains \"rootkit.dll\"\n or InitiatingProcessFileName contains \"rootkit\"\n| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName,\n InitiatingProcessCommandLine, AccountName\n| extend DecodedCommand = base64_decode_tostring(extract(@\"-enc(?:odedCommand)?\\s+([A-Za-z0-9+/=]+)\", 1, ProcessCommandLine))\n| project Timestamp, DeviceName, ProcessCommandLine, DecodedCommand, InitiatingProcessFileName, AccountName\n| sort by Timestamp desc", "pattern_type": "kusto", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6f71a7a8-5a71-51e4-a529-62fc8c72296b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.224751Z", "modified": "2026-06-14T11:55:42.224751Z", "name": "Arsenal237_BdApiUtil64_Hash", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_BdApiUtil64_Hash {\n meta:\n description = \"Detects Arsenal-237 BdApiUtil64.sys by file hash\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n hash = \"47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428\"\n severity = \"CRITICAL\"\n family = \"Arsenal-237\"\n technique = \"T1068 - BYOVD Exploitation\"\n\n condition:\n hash.sha256(0, filesize) == \"47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428\" or\n hash.md5(0, filesize) == \"ced47b89212f3260ebeb41682a4b95ec\" or\n hash.sha1(0, filesize) == \"148c0cde4f2ef807aea77d7368f00f4c519f47ef\"\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--65f4b455-dd40-525b-85cd-ce112305e2db", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.224944Z", "modified": "2026-06-14T11:55:42.224944Z", "name": "Arsenal237_BdApiUtil_Signature", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_BdApiUtil_Signature {\n meta:\n description = \"Detects BdApiUtil64.sys by Baidu signature and PDB path\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"HIGH\"\n technique = \"T1068 - BYOVD with Legitimate Signature\"\n\n strings:\n $pdb = \"D:\\\\jenkins\\\\workspace\\\\bav_5.0_workspace\\\\BavOutput\\\\Pdb\\\\Release\\\\BdApiUtil64.pdb\" ascii wide\n $signer = \"Baidu Online Network Technology\" ascii wide\n $product = \"Baidu Antivirus\" ascii wide\n $device = \"\\\\Device\\\\BdApiUtil\" ascii wide\n $service = \"Bprotect\" ascii wide\n $callback = \"bdProtectExpCallBack\" ascii wide\n\n condition:\n uint16(0) == 0x5A4D and\n uint32(uint32(0x3C)) == 0x00004550 and\n (2 of ($*))\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6988997b-a2bc-51cf-b60e-d450ad51c5ed", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.225151Z", "modified": "2026-06-14T11:55:42.225151Z", "name": "Arsenal237_BdApiUtil_IOCTL_Abuse", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_BdApiUtil_IOCTL_Abuse {\n meta:\n description = \"Detects malware using BdApiUtil64.sys IOCTL codes\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"HIGH\"\n technique = \"T1562.001 - Process Termination via Driver IOCTLs\"\n\n strings:\n // Primary IOCTL codes\n $ioctl1 = { B4 24 00 80 } // 0x800024b4 - Direct termination\n $ioctl2 = { B8 24 00 80 } // 0x800024b8 - SSDT bypass\n $ioctl3 = { 24 23 00 80 } // 0x80002324 - Service manipulation\n $ioctl4 = { 48 26 00 80 } // 0x80002648 - File access 1\n $ioctl5 = { 4C 26 00 80 } // 0x8000264c - File access 2\n\n // DeviceIoControl API\n $api = \"DeviceIoControl\" ascii wide\n\n // Device name\n $device = \"\\\\\\\\.\\\\BdApiUtil\" ascii wide\n\n condition:\n uint16(0) == 0x5A4D and\n $api and $device and\n 2 of ($ioctl*)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--acaa36c7-b99c-5667-81f8-efb25c45191e", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.225362Z", "modified": "2026-06-14T11:55:42.225362Z", "name": "Arsenal237_BdApiUtil_SSDT_Bypass", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_BdApiUtil_SSDT_Bypass {\n meta:\n description = \"Detects SSDT bypass implementation in malware\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"CRITICAL\"\n technique = \"T1027.010 - SSDT Indirect System Calls\"\n\n strings:\n $ssdt_string = \"KeServiceDescriptorTable\" ascii wide\n $api1 = \"MmGetSystemRoutineAddress\" ascii wide\n $api2 = \"RtlInitUnicodeString\" ascii wide\n\n // Hook detection pattern (checking for 0xb8 opcode)\n $hook_check = { 80 3? B8 } // cmp byte ptr [reg], 0xb8\n\n // SSDT lookup pattern\n $ssdt_lookup = { 8B ?? ?? C1 E? 02 } // mov reg, [reg+offset]; shl reg, 2\n\n condition:\n uint16(0) == 0x5A4D and\n $ssdt_string and\n all of ($api*) and\n 1 of ($hook_check, $ssdt_lookup)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d4a414d-8df4-500e-a01d-ebd00e6e45da", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.225716Z", "modified": "2026-06-14T11:55:42.225716Z", "name": "Arsenal237_BdApiUtil_Kernel_Termination", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_BdApiUtil_Kernel_Termination {\n meta:\n description = \"Detects kernel-mode process termination capabilities\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-26\"\n severity = \"HIGH\"\n technique = \"T1562.001 - Kernel-Level Security Product Termination\"\n\n strings:\n // Kernel APIs for process termination\n $api1 = \"PsLookupProcessByProcessId\" ascii\n $api2 = \"ZwTerminateProcess\" ascii\n $api3 = \"ObOpenObjectByPointer\" ascii\n $api4 = \"ObDereferenceObject\" ascii\n\n // Target security products\n $target1 = \"MsMpEng.exe\" ascii wide nocase\n $target2 = \"CSFalconService.exe\" ascii wide nocase\n $target3 = \"ekrn.exe\" ascii wide nocase\n $target4 = \"avp.exe\" ascii wide nocase\n\n condition:\n uint16(0) == 0x5A4D and\n 3 of ($api*) and\n 2 of ($target*)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5810feb9-a7c5-5f68-911c-71933b06a14f", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.225968Z", "modified": "2026-06-14T11:55:42.225968Z", "name": "Suspicious Baidu Driver Load (BdApiUtil64.sys BYOVD)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Baidu Driver Load (BdApiUtil64.sys BYOVD)\nid: a1b2c3d4-e5f6-7890-1234-567890abcdef\nstatus: stable\ndescription: Detects loading of vulnerable Baidu driver (BdApiUtil64.sys) used in BYOVD attacks\nreferences:\n - Arsenal-237 malware toolkit analysis\n - BlackByte, Cuba, ALPHV ransomware campaigns\nauthor: The Hunters Ledger\ndate: 2026-01-26\nmodified: 2026-01-26\ntags:\n - attack.defense_evasion\n - attack.t1068\n - attack.t1562.001\nlogsource:\n product: windows\n category: driver_load\ndetection:\n selection_hash:\n Hashes|contains:\n - '47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428'\n - 'ced47b89212f3260ebeb41682a4b95ec'\n - '148c0cde4f2ef807aea77d7368f00f4c519f47ef'\n selection_signature:\n ImageLoaded|contains: 'BdApiUtil'\n Signed: 'true'\n Signature|contains: 'Baidu'\n selection_expired:\n ImageLoaded|endswith: '.sys'\n Signed: 'true'\n SignatureStatus: 'Valid'\n Signature|contains: 'Baidu'\n condition: 1 of selection_*\nfalsepositives:\n - Legitimate Baidu Antivirus installation (very rare in enterprise environments)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--17563395-7c8c-54dd-a9b5-81477e648878", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.226178Z", "modified": "2026-06-14T11:55:42.226178Z", "name": "Suspicious Bprotect Service Creation (BdApiUtil64.sys)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Bprotect Service Creation (BdApiUtil64.sys)\nid: b2c3d4e5-f6g7-8901-2345-678901bcdefg\nstatus: stable\ndescription: Detects creation of Bprotect service associated with BdApiUtil64.sys driver\nreferences:\n - Arsenal-237 BYOVD technique\nauthor: The Hunters Ledger\ndate: 2026-01-26\ntags:\n - attack.persistence\n - attack.t1547.006\n - attack.defense_evasion\n - attack.t1562.001\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n EventID: 7045\n ServiceName: 'Bprotect'\n ImagePath|contains: 'BdApiUtil'\n condition: selection\nfalsepositives:\n - Legitimate Baidu Antivirus installation\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--362e8892-6705-5ea5-af98-a9d21591364d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.226324Z", "modified": "2026-06-14T11:55:42.226324Z", "name": "Security Product Termination After Driver Load (BYOVD Pattern)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Security Product Termination After Driver Load (BYOVD Pattern)\nid: c3d4e5f6-g7h8-9012-3456-789012cdefgh\nstatus: stable\ndescription: Detects security product process termination shortly after suspicious driver load\nreferences:\n - BYOVD attack pattern\n - Arsenal-237 toolkit\nauthor: The Hunters Ledger\ndate: 2026-01-26\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.impact\n - attack.t1489\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_driver:\n EventID: 6\n ImageLoaded|contains:\n - 'BdApiUtil'\n - 'Baidu'\n selection_termination:\n EventID: 5\n Image|endswith:\n - 'MsMpEng.exe'\n - 'CSFalconService.exe'\n - 'ekrn.exe'\n - 'avp.exe'\n - 'SophosHealth.exe'\n - 'cb.exe'\n - 'MBAMService.exe'\n timeframe: 60s\n condition: selection_driver and selection_termination | near selection_driver\nfalsepositives:\n - Legitimate service restarts during updates (check timing correlation)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7b26c8b1-f9d9-5693-b49b-225d0243f294", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.226456Z", "modified": "2026-06-14T11:55:42.226456Z", "name": "DeviceIoControl Calls to BdApiUtil Driver", "indicator_types": [ "malicious-activity" ], "pattern": "title: DeviceIoControl Calls to BdApiUtil Driver\nid: d4e5f6g7-h8i9-0123-4567-890123defghi\nstatus: experimental\ndescription: Detects DeviceIoControl API calls to \\\\.\\BdApiUtil device object\nreferences:\n - Arsenal-237 BYOVD IOCTL abuse\nauthor: The Hunters Ledger\ndate: 2026-01-26\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.collection\n - attack.t1005\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection_api:\n CallTrace|contains: 'DeviceIoControl'\n selection_device:\n TargetObject|contains: '\\\\.\\BdApiUtil'\n condition: all of selection_*\nfalsepositives:\n - Legitimate Baidu Antivirus operations (rare)\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bd4adcb6-ddae-5b92-96ad-3c1a990bb0fd", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.226609Z", "modified": "2026-06-14T11:55:42.226609Z", "name": "KeServiceDescriptorTable Resolution (SSDT Bypass Attempt)", "indicator_types": [ "malicious-activity" ], "pattern": "title: KeServiceDescriptorTable Resolution (SSDT Bypass Attempt)\nid: e5f6g7h8-i9j0-1234-5678-901234efghij\nstatus: experimental\ndescription: Detects attempts to resolve KeServiceDescriptorTable for SSDT bypass\nreferences:\n - Advanced EDR evasion via SSDT bypass\n - Arsenal-237 BdApiUtil64.sys capability\nauthor: The Hunters Ledger\ndate: 2026-01-26\ntags:\n - attack.defense_evasion\n - attack.t1027.010\n - attack.t1562.001\nlogsource:\n product: windows\n category: kernel_api\ndetection:\n selection:\n CallTrace|contains:\n - 'MmGetSystemRoutineAddress'\n - 'KeServiceDescriptorTable'\n condition: selection\nfalsepositives:\n - Legitimate kernel drivers (verify driver signature and vendor)\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d08bddc6-7fef-54d7-b117-8268b1b89d57", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.227405Z", "modified": "2026-06-14T11:55:42.227405Z", "name": "Elastic Security (EQL)", "indicator_types": [ "malicious-activity" ], "pattern": "// BdApiUtil64.sys service creation and driver load sequence\nsequence by host.name with maxspan=5m\n [registry where registry.path : \"*\\\\Services\\\\Bprotect*\" and event.action == \"creation\"]\n [driver where file.name : \"BdApiUtil64.sys\"]\n [process where\n event.action == \"termination\" and\n process.name in (\"MsMpEng.exe\", \"CSFalconService.exe\", \"ekrn.exe\", \"avp.exe\")]", "pattern_type": "eql", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--079ae08b-524f-58d3-a692-c54187a4619c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.227733Z", "modified": "2026-06-14T11:55:42.227733Z", "name": "Splunk SPL", "indicator_types": [ "malicious-activity" ], "pattern": "// BdApiUtil64.sys BYOVD detection - comprehensive hunt\nindex=windows (sourcetype=WinEventLog:Sysmon OR sourcetype=WinEventLog:Security)\n(\n (EventCode=6 ImageLoaded=\"*BdApiUtil*\") OR\n (EventCode=6 Hashes=\"*47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428*\") OR\n (EventCode=7045 ServiceName=\"Bprotect\") OR\n (EventCode=5 Image IN (\"*MsMpEng.exe\", \"*CSFalconService.exe\", \"*ekrn.exe\", \"*avp.exe\"))\n)\n| eval event_type=case(\n EventCode=6, \"DriverLoad\",\n EventCode=7045, \"ServiceCreation\",\n EventCode=5, \"ProcessTermination\"\n)\n| stats count earliest(_time) as FirstSeen latest(_time) as LastSeen by ComputerName, event_type, Image, ImageLoaded, ServiceName\n| convert ctime(FirstSeen) ctime(LastSeen)\n| sort -LastSeen", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cd677539-8cc8-52f0-9776-d792f854a214", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.228035Z", "modified": "2026-06-14T11:55:42.228035Z", "name": "Arsenal237_LPE_EXE_Hash", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_LPE_EXE_Hash {\n meta:\n description = \"Detects Arsenal-237 lpe.exe by file hash\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-25\"\n hash = \"c4dda7b5c5f6eab49efc86091377ab08275aa951d956a5485665954830d1267e\"\n severity = \"CRITICAL\"\n family = \"Arsenal-237\"\n\n condition:\n hash.sha256(0, filesize) == \"c4dda7b5c5f6eab49efc86091377ab08275aa951d956a5485665954830d1267e\" or\n hash.md5(0, filesize) == \"47400a6b7c84847db0513e6dbc04e469\"\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--00ac79d4-d8fa-5a3a-9b27-fb664aabd7e9", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.229398Z", "modified": "2026-06-14T11:55:42.229398Z", "name": "Arsenal237_LPE_Token_Manipulation", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_LPE_Token_Manipulation {\n meta:\n description = \"Detects lpe.exe token impersonation API pattern\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-25\"\n severity = \"HIGH\"\n technique = \"T1134.001 - Token Impersonation\"\n\n strings:\n $api1 = \"CreateToolhelp32Snapshot\" ascii wide\n $api2 = \"OpenProcessToken\" ascii wide\n $api3 = \"DuplicateTokenEx\" ascii wide\n $api4 = \"ImpersonateLoggedOnUser\" ascii wide\n $api5 = \"Process32FirstW\" ascii wide\n $api6 = \"Process32NextW\" ascii wide\n\n $process1 = \"winlogon.exe\" ascii wide nocase\n $process2 = \"lsass.exe\" ascii wide nocase\n $process3 = \"services.exe\" ascii wide nocase\n $process4 = \"csrss.exe\" ascii wide nocase\n\n condition:\n uint16(0) == 0x5A4D and\n all of ($api*) and\n 2 of ($process*)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e3d1fac0-4355-5c04-b152-96392d11e30c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.229796Z", "modified": "2026-06-14T11:55:42.229796Z", "name": "Arsenal237_LPE_UAC_Bypass", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_LPE_UAC_Bypass {\n meta:\n description = \"Detects lpe.exe UAC bypass via registry hijack\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-25\"\n severity = \"HIGH\"\n technique = \"T1548.002 - UAC Bypass\"\n\n strings:\n $reg1 = \"HKCU\\\\\\\\Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\Shell\\\\\\\\Open\\\\\\\\command\" ascii wide nocase\n $reg2 = \"DelegateExecute\" ascii wide\n $reg3 = \"reg add\" ascii wide nocase\n $reg4 = \"fodhelper.exe\" ascii wide nocase\n $reg5 = \"reg delete\" ascii wide nocase\n\n condition:\n uint16(0) == 0x5A4D and\n all of ($reg*)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--859c8f16-ff76-56bd-bb90-88e654f68c69", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.230116Z", "modified": "2026-06-14T11:55:42.230116Z", "name": "Arsenal237_LPE_Schtasks", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_LPE_Schtasks {\n meta:\n description = \"Detects lpe.exe scheduled task escalation via direct schtasks.exe use\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-25\"\n severity = \"HIGH\"\n technique = \"T1053.005 - Scheduled Task\"\n note = \"Task name likely randomized - cannot rely on specific task names\"\n\n strings:\n $schtasks1 = \"schtasks\" ascii wide nocase\n $schtasks2 = \"/create\" ascii wide nocase\n $schtasks3 = \"/tn\" ascii wide nocase\n $schtasks4 = \"/ru SYSTEM\" ascii wide nocase\n $schtasks5 = \"/delete\" ascii wide nocase\n\n condition:\n uint16(0) == 0x5A4D and\n all of ($schtasks*)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cbd413eb-c68a-54da-9882-dc77ba78ae0b", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.230481Z", "modified": "2026-06-14T11:55:42.230481Z", "name": "Arsenal237_LPE_Named_Pipe", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_LPE_Named_Pipe {\n meta:\n description = \"Detects lpe.exe named pipe impersonation\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-25\"\n severity = \"HIGH\"\n technique = \"T1055.001 - Named Pipe Impersonation\"\n\n strings:\n $pipe1 = \"CreateNamedPipeW\" ascii wide\n $pipe2 = \"ImpersonateNamedPipeClient\" ascii wide\n $pipe3 = \"ConnectNamedPipe\" ascii wide\n $pipe4 = \"\\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\\" ascii wide\n $pipe5 = \"spoolss\" ascii wide nocase\n\n $ps = \"powershell\" ascii wide nocase\n $ps_pipe = \"NamedPipeClientStream\" ascii wide\n\n condition:\n uint16(0) == 0x5A4D and\n (all of ($pipe*) or ($ps and $ps_pipe))\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a089187d-8ad9-5556-955b-877d90a72c19", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.231413Z", "modified": "2026-06-14T11:55:42.231413Z", "name": "Arsenal237_LPE_WMIC", "indicator_types": [ "malicious-activity" ], "pattern": "rule Arsenal237_LPE_WMIC {\n meta:\n description = \"Detects lpe.exe WMIC process creation\"\n author = \"The Hunters Ledger\"\n date = \"2026-01-25\"\n severity = \"MEDIUM\"\n technique = \"T1047 - WMI\"\n\n strings:\n $wmic1 = \"wmic\" ascii wide nocase\n $wmic2 = \"process\" ascii wide nocase\n $wmic3 = \"call\" ascii wide nocase\n $wmic4 = \"create\" ascii wide nocase\n\n condition:\n uint16(0) == 0x5A4D and\n all of ($wmic*)\n}", "pattern_type": "yara", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--08418b43-3be5-5c3c-8042-13a1bd6283d2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.231802Z", "modified": "2026-06-14T11:55:42.231802Z", "name": "Privilege Escalation via Token Impersonation (lpe.exe)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Privilege Escalation via Token Impersonation (lpe.exe)\nid: a1b2c3d4-e5f6-7890-1234-567890abcdef\nstatus: experimental\ndescription: Detects token impersonation sequence characteristic of lpe.exe\nauthor: The Hunters Ledger\ndate: 2026/01/25\nreferences:\n - lpe.exe analysis report\n - Arsenal-237 malware toolkit investigation\ntags:\n - attack.privilege_escalation\n - attack.t1134.001\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection_process_access:\n TargetImage|endswith:\n - '\\\\winlogon.exe'\n - '\\\\lsass.exe'\n - '\\\\services.exe'\n - '\\\\csrss.exe'\n GrantedAccess:\n - '0x1410' # PROCESS_QUERY_INFORMATION | PROCESS_VM_READ\n - '0x1000' # PROCESS_QUERY_LIMITED_INFORMATION\n selection_api:\n CallTrace|contains:\n - 'OpenProcessToken'\n - 'DuplicateTokenEx'\n - 'ImpersonateLoggedOnUser'\n condition: selection_process_access and selection_api\nfalsepositives:\n - Legitimate administrative tools performing token operations (rare)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bd0c3b7d-e5d8-5e46-8c87-32354e8ce8ca", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.232164Z", "modified": "2026-06-14T11:55:42.232164Z", "name": "UAC Bypass via ms-settings Registry Hijack (lpe.exe)", "indicator_types": [ "malicious-activity" ], "pattern": "title: UAC Bypass via ms-settings Registry Hijack (lpe.exe)\nid: b2c3d4e5-f6a7-8901-2345-678901bcdefg\nstatus: experimental\ndescription: Detects UAC bypass via fodhelper.exe registry hijack (lpe.exe technique)\nauthor: The Hunters Ledger\ndate: 2026/01/25\ntags:\n - attack.privilege_escalation\n - attack.defense_evasion\n - attack.t1548.002\nlogsource:\n product: windows\n category: registry_set\ndetection:\n selection_registry:\n TargetObject|contains:\n - '\\\\Software\\\\Classes\\\\ms-settings\\\\Shell\\\\Open\\\\command'\n EventType: SetValue\n selection_fodhelper:\n EventID: 1 # Process creation\n Image|endswith: '\\\\fodhelper.exe'\n ParentImage|endswith:\n - '\\\\reg.exe'\n - '\\\\lpe.exe'\n timeframe: 30s\n condition: selection_registry and selection_fodhelper\nfalsepositives:\n - Legitimate software installation (extremely rare)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--45face78-e29b-525b-9789-72c13a8dbf52", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.232488Z", "modified": "2026-06-14T11:55:42.232488Z", "name": "Scheduled Task Created as SYSTEM (lpe.exe)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Scheduled Task Created as SYSTEM (lpe.exe)\nid: c3d4e5f6-a7b8-9012-3456-789012cdefgh\nstatus: experimental\ndescription: Detects scheduled task creation with SYSTEM privileges from non-administrative process (direct use of schtasks.exe, not hijacking another component)\nauthor: The Hunters Ledger\ndate: 2026/01/25\nreferences:\n - Task names are likely randomized - detection should focus on /ru SYSTEM parameter, not task name\ntags:\n - attack.privilege_escalation\n - attack.execution\n - attack.t1053.005\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n Image|endswith: '\\\\schtasks.exe'\n CommandLine|contains|all:\n - '/create'\n - '/ru'\n - 'SYSTEM'\n filter_admin:\n User|contains:\n - 'NT AUTHORITY\\\\SYSTEM'\n - 'Administrator'\n condition: selection and not filter_admin\nfalsepositives:\n - System administrators manually creating SYSTEM tasks (should be reviewed)\n - Legitimate administrative scripts using schtasks.exe\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--92c9ef20-8b2d-5f10-8d60-b1c406742ec7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.232826Z", "modified": "2026-06-14T11:55:42.232826Z", "name": "Named Pipe Impersonation Attack (lpe.exe)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Named Pipe Impersonation Attack (lpe.exe)\nid: d4e5f6a7-b8c9-0123-4567-890123defghi\nstatus: experimental\ndescription: Detects named pipe creation followed by impersonation attempt\nauthor: The Hunters Ledger\ndate: 2026/01/25\ntags:\n - attack.privilege_escalation\n - attack.t1055.001\nlogsource:\n product: windows\n category: pipe_created\ndetection:\n selection_pipe:\n EventID: 17 # Sysmon pipe created\n PipeName|contains:\n - 'spoolss'\n - 'pipe'\n selection_powershell:\n EventID: 1 # Process creation\n Image|endswith: '\\\\powershell.exe'\n CommandLine|contains: 'NamedPipeClientStream'\n timeframe: 60s\n condition: selection_pipe and selection_powershell\nfalsepositives:\n - Legitimate administrative tools using named pipes (rare)\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d0b0dfae-da1a-55da-b984-775ff4cf09a3", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.23313Z", "modified": "2026-06-14T11:55:42.23313Z", "name": "WMIC Process Creation for Privilege Escalation (lpe.exe)", "indicator_types": [ "malicious-activity" ], "pattern": "title: WMIC Process Creation for Privilege Escalation (lpe.exe)\nid: e5f6a7b8-c9d0-1234-5678-901234efghij\nstatus: experimental\ndescription: Detects WMIC being used to create processes for privilege escalation\nauthor: The Hunters Ledger\ndate: 2026/01/25\ntags:\n - attack.execution\n - attack.privilege_escalation\n - attack.t1047\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n Image|endswith: '\\\\wmic.exe'\n CommandLine|contains|all:\n - 'process'\n - 'call'\n - 'create'\n filter_admin:\n User|contains:\n - 'NT AUTHORITY\\\\SYSTEM'\n - 'Administrator'\n condition: selection and not filter_admin\nfalsepositives:\n - Legitimate administrative scripts using WMIC (review context)\nlevel: medium", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0642bb53-464c-5893-860c-a9902b5fd74d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.233454Z", "modified": "2026-06-14T11:55:42.233454Z", "name": "Multi-Technique Privilege Escalation Sequence (lpe.exe)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Multi-Technique Privilege Escalation Sequence (lpe.exe)\nid: f6a7b8c9-d0e1-2345-6789-012345fghijk\nstatus: experimental\ndescription: Detects multiple privilege escalation techniques attempted in rapid succession (lpe.exe signature)\nauthor: The Hunters Ledger\ndate: 2026/01/25\ntags:\n - attack.privilege_escalation\n - attack.t1134.001\n - attack.t1548.002\n - attack.t1053.005\nlogsource:\n product: windows\n category: correlation\ndetection:\n selection_token:\n EventType: 'ProcessAccess'\n TargetImage|endswith:\n - '\\\\winlogon.exe'\n - '\\\\lsass.exe'\n selection_registry:\n EventType: 'RegistrySet'\n TargetObject|contains: 'ms-settings\\\\Shell\\\\Open\\\\command'\n selection_schtasks:\n Image|endswith: '\\\\schtasks.exe'\n CommandLine|contains: '/ru SYSTEM'\n timeframe: 60s\n condition: 2 of selection_*\nfalsepositives:\n - Extremely rare - investigate all matches\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ba2317ba-7aa6-5262-bfed-f5c0a03a8848", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.233803Z", "modified": "2026-06-14T11:55:42.233803Z", "name": "Microsoft Defender for Endpoint (KQL)", "indicator_types": [ "malicious-activity" ], "pattern": "// Hunt for token impersonation API sequence characteristic of lpe.exe\nDeviceEvents\n| where Timestamp > ago(30d)\n| where ActionType in~ (\"OpenProcessToken\", \"DuplicateTokenEx\", \"ImpersonateLoggedOnUser\")\n| where InitiatingProcessFileName !in~ (\"services.exe\", \"lsass.exe\", \"svchost.exe\") // Exclude legitimate system processes\n| summarize TokenAPIs = make_set(ActionType), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256\n| where array_length(TokenAPIs) >= 2 // At least 2 token manipulation APIs\n| project Timestamp = FirstSeen, DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256, TokenAPIs, LastSeen\n| sort by Timestamp desc", "pattern_type": "kql", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--083d4d9a-1dea-5d32-8775-bb6a0dadad50", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.235803Z", "modified": "2026-06-14T11:55:42.235803Z", "name": "Splunk SPL Queries", "indicator_types": [ "malicious-activity" ], "pattern": "index=endpoint sourcetype=sysmon EventCode=10\n| search (TargetImage=\"*\\\\winlogon.exe\" OR TargetImage=\"*\\\\lsass.exe\" OR TargetImage=\"*\\\\services.exe\" OR TargetImage=\"*\\\\csrss.exe\")\n| search GrantedAccess IN (\"0x1410\", \"0x1000\", \"0x1FFFFF\")\n| where SourceImage!=\"*\\\\services.exe\" AND SourceImage!=\"*\\\\lsass.exe\" AND SourceImage!=\"*\\\\svchost.exe\"\n| stats count, values(TargetImage) as TargetProcesses, earliest(_time) as FirstSeen, latest(_time) as LastSeen by SourceImage, SourceProcessId, Computer\n| eval TimeWindow = LastSeen - FirstSeen\n| where TimeWindow < 60\n| table _time, Computer, SourceImage, SourceProcessId, TargetProcesses, count, TimeWindow\n| sort -_time", "pattern_type": "spl", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2880b928-5f19-5951-9c90-6657216ed279", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.237194Z", "modified": "2026-06-14T11:55:42.237194Z", "name": "Critical - CrowdStrike Falcon Process Termination (killer_crowdstrike.dll)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Critical - CrowdStrike Falcon Process Termination (killer_crowdstrike.dll)\nid: a1b2c3d4-e5f6-7890-1234-567890abcdef\nstatus: experimental\ndescription: Detects unexpected termination of CrowdStrike Falcon processes (killer_crowdstrike.dll behavior)\nauthor: The Hunters Ledger\ndate: 2026/01/25\nreferences:\n - killer_crowdstrike.dll analysis report\n - Arsenal-237 malware toolkit investigation\ntags:\n - attack.defense_evasion\n - attack.t1562.001\nlogsource:\n product: windows\n category: process_termination\ndetection:\n selection:\n Image|endswith:\n - '\\\\CSFalconService.exe'\n - '\\\\csagent.exe'\n - '\\\\CSFalconContainer.exe'\n filter_legitimate:\n # Exclude legitimate CrowdStrike updates/restarts\n ParentImage: 'C:\\\\Program Files\\\\CrowdStrike\\\\*'\n User: 'NT AUTHORITY\\\\SYSTEM'\n condition: selection and not filter_legitimate\nfalsepositives:\n - Legitimate CrowdStrike Falcon updates or service restarts\n - Administrator manually stopping Falcon service (should be investigated)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ca1642b6-8930-514e-a603-bc22a7f55516", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.237557Z", "modified": "2026-06-14T11:55:42.237557Z", "name": "CrowdStrike Termination with Suspicious Service Creation", "indicator_types": [ "malicious-activity" ], "pattern": "title: CrowdStrike Termination with Suspicious Service Creation\nid: b2c3d4e5-f6a7-8901-2345-678901bcdefg\nstatus: experimental\ndescription: Detects CrowdStrike termination correlated with kernel driver service creation (BYOVD attack pattern)\nauthor: The Hunters Ledger\ndate: 2026/01/25\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.privilege_escalation\n - attack.t1068\nlogsource:\n product: windows\n category: correlation\ndetection:\n selection_termination:\n EventID: 4689 # Process termination\n ProcessName:\n - 'CSFalconService.exe'\n - 'csagent.exe'\n - 'CSFalconContainer.exe'\n selection_service:\n EventID: 7045 # Service installed\n ServiceType: 'kernel mode driver'\n timeframe: 60s\n condition: selection_termination and selection_service\nfalsepositives:\n - Extremely rare - investigate all matches\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c645b49e-1bf3-58ac-aada-bc9b295c27ec", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.237897Z", "modified": "2026-06-14T11:55:42.237897Z", "name": "CrowdStrike Sensor Offline with Vulnerable Driver Loading", "indicator_types": [ "malicious-activity" ], "pattern": "title: CrowdStrike Sensor Offline with Vulnerable Driver Loading\nid: c3d4e5f6-a7b8-9012-3456-789012cdefgh\nstatus: experimental\ndescription: Detects CrowdStrike sensor disconnection correlated with vulnerable driver loading\nauthor: The Hunters Ledger\ndate: 2026/01/25\ntags:\n - attack.defense_evasion\n - attack.t1562.001\nlogsource:\n product: windows\n category: correlation\ndetection:\n selection_sensor:\n Source: 'CrowdStrike'\n EventType: 'SensorOffline'\n selection_driver:\n EventID: 6 # Driver loaded (Sysmon)\n ImageLoaded|contains:\n - 'BdApiUtil64.sys'\n - 'ProcExp'\n - '.sys'\n ImageLoaded|contains: '\\\\Temp\\\\'\n timeframe: 60s\n condition: selection_sensor and selection_driver\nfalsepositives:\n - Network connectivity issues causing sensor offline (without driver loading)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9123a6da-0b7a-592d-9fd5-f630603cc7da", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.239174Z", "modified": "2026-06-14T11:55:42.239174Z", "name": "Suspicious Kernel Driver Service Creation by Rundll32", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Kernel Driver Service Creation by Rundll32\nid: 10eb1fbb-2be3-a09e-efb3-d97112e42bb0\nstatus: experimental\ndescription: Detects kernel driver service creation by rundll32.exe (BYOVD attack pattern for killer.dll)\nauthor: The Hunters Ledger\ndate: 2026/01/25\nreferences:\n - killer.dll analysis report\n - Arsenal-237 malware toolkit investigation\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.privilege_escalation\n - attack.t1068\nlogsource:\n product: windows\n category: registry_set\n service: sysmon\ndetection:\n selection_service_create:\n EventID: 13 # Registry value set (Sysmon)\n TargetObject|contains: '\\System\\CurrentControlSet\\Services\\'\n Details|contains: 'SERVICE_KERNEL_DRIVER'\n selection_parent:\n Image|endswith: '\\rundll32.exe'\n filter_legitimate:\n # Exclude legitimate Microsoft-signed rundll32 operations\n Signature: 'Microsoft Corporation'\n TargetObject|contains: '\\System32\\Drivers\\'\n condition: selection_service_create and selection_parent and not filter_legitimate\nfalsepositives:\n - Legitimate software installation via rundll32 (extremely rare for kernel drivers)\n - Administrative scripts using rundll32 for driver deployment (should be reviewed)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--70a17ac8-3412-5346-bcde-0f85f2fa18ad", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.239402Z", "modified": "2026-06-14T11:55:42.239402Z", "name": "Mass Security Product Process Termination (BYOVD Attack)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Mass Security Product Process Termination (BYOVD Attack)\nid: 10eb1fbb-2be3-a09e-efb3-d97112e42bb1\nstatus: experimental\ndescription: Detects simultaneous termination of multiple security products (killer.dll behavior)\nauthor: The Hunters Ledger\ndate: 2026/01/25\nreferences:\n - killer.dll analysis report\ntags:\n - attack.defense_evasion\n - attack.t1562.001\nlogsource:\n product: windows\n category: process_termination\ndetection:\n selection:\n Image|endswith:\n - '\\MsMpEng.exe'\n - '\\ekrn.exe'\n - '\\avp.exe'\n - '\\MBAMService.exe'\n - '\\bdservicehost.exe'\n - '\\avguard.exe'\n - '\\NisSrv.exe'\n - '\\vsserv.exe'\n timeframe: 60s\n condition: selection | count(Image) >= 3\nfalsepositives:\n - Administrator manually stopping multiple security services (should be investigated)\n - Software conflicts causing cascading failures (rare)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b4bed8c0-6566-5f87-b43c-86b6f5e7b215", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.239572Z", "modified": "2026-06-14T11:55:42.239572Z", "name": "DeviceIoControl Abuse with BYOVD IOCTL Codes", "indicator_types": [ "malicious-activity" ], "pattern": "title: DeviceIoControl Abuse with BYOVD IOCTL Codes\nid: 10eb1fbb-2be3-a09e-efb3-d97112e42bb2\nstatus: experimental\ndescription: Detects DeviceIoControl calls with IOCTL codes used by killer.dll (0x800024B4, 0x8335003C)\nauthor: The Hunters Ledger\ndate: 2026/01/25\nreferences:\n - killer.dll analysis report\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.privilege_escalation\n - attack.t1068\nlogsource:\n product: windows\n category: driver_load\n service: etwti # ETW Threat Intelligence or EDR telemetry\ndetection:\n selection_ioctl:\n EventID: 1 # API call monitoring (requires ETW or EDR)\n CallStack|contains: 'DeviceIoControl'\n ControlCode:\n - '0x800024B4' # Baidu driver process termination\n - '0x8335003C' # Process Explorer driver process termination\n selection_device:\n DevicePath:\n - '\\\\\\\\.\\\\BdApiUtil'\n - '\\\\\\\\.\\\\PROCEXP152'\n condition: selection_ioctl or selection_device\nfalsepositives:\n - Legitimate use of Sysinternals Process Explorer (if version 17.0.7 - review required)\n - Legitimate Baidu Antivirus software (if installed in environment)\nlevel: critical", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6aba3624-0f2b-5afe-b5ec-5e2ac777c44c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.239716Z", "modified": "2026-06-14T11:55:42.239716Z", "name": "Short-Lived Kernel Driver Service (BYOVD Cleanup Pattern)", "indicator_types": [ "malicious-activity" ], "pattern": "title: Short-Lived Kernel Driver Service (BYOVD Cleanup Pattern)\nid: 10eb1fbb-2be3-a09e-efb3-d97112e42bb3\nstatus: experimental\ndescription: Detects kernel driver services created and deleted within 30 seconds (BYOVD cleanup behavior)\nauthor: The Hunters Ledger\ndate: 2026/01/25\nreferences:\n - killer.dll analysis report\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1070.004\nlogsource:\n product: windows\n category: service\ndetection:\n selection_create:\n EventID:\n - 7045 # Service installed\n - 4697 # Service installed (Security log)\n ServiceType: 'kernel mode driver'\n selection_delete:\n EventID: 7040 # Service state changed (stopped/deleted)\n param1: 'demand start' # Service stopped\n timeframe: 30s\n condition: selection_create and selection_delete\nfalsepositives:\n - Driver installation testing by IT staff (should be reviewed)\n - Failed driver installations (review for root cause)\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f12daab7-66c5-5732-b3e4-ef59285102d2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.239872Z", "modified": "2026-06-14T11:55:42.239872Z", "name": "Kernel Driver File Created in Temp Directory", "indicator_types": [ "malicious-activity" ], "pattern": "title: Kernel Driver File Created in Temp Directory\nid: 10eb1fbb-2be3-a09e-efb3-d97112e42bb4\nstatus: experimental\ndescription: Detects .sys driver files created in temp directories (BYOVD staging location)\nauthor: The Hunters Ledger\ndate: 2026/01/25\nreferences:\n - killer.dll analysis report\ntags:\n - attack.defense_evasion\n - attack.t1562.001\n - attack.t1027.009\nlogsource:\n product: windows\n category: file_event\ndetection:\n selection:\n EventID: 11 # File created (Sysmon)\n TargetFilename|contains:\n - '\\AppData\\Local\\Temp\\'\n - '\\Windows\\Temp\\'\n - '\\Temp\\'\n TargetFilename|endswith: '.sys'\n filter_legitimate:\n # Exclude known legitimate driver installers\n Image|contains:\n - '\\Windows\\System32\\'\n - '\\Program Files\\'\n Signature: 'Microsoft Corporation'\n condition: selection and not filter_legitimate\nfalsepositives:\n - Legitimate driver installers using temp staging (should extract to System32\\Drivers)\n - Hardware vendor driver installers (review publisher signatures)\nlevel: high", "pattern_type": "sigma", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--da7bc56b-4da1-57d3-af39-efde5a336b65", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.242237Z", "modified": "2026-06-14T11:55:42.242237Z", "name": "MALWARE killer.dll connection to Arsenal-237 C2 infrastructure", "indicator_types": [ "malicious-activity" ], "pattern": "alert tcp $HOME_NET any -> 109.230.231.37 any (\n msg:\"MALWARE killer.dll connection to Arsenal-237 C2 infrastructure\";\n flow:to_server,established;\n reference:sha256,10eb1fbb2be3a09eefb3d97112e42bb06cf029e6cac2a9fb891b8b89a25c788d;\n reference:url,https://github.com/[your-repo]/reports/killer-dll/;\n classtype:trojan-activity;\n sid:2000001;\n rev:1;\n)\n\nalert tcp 109.230.231.37 any -> $HOME_NET any (\n msg:\"MALWARE killer.dll inbound from Arsenal-237 C2 infrastructure\";\n flow:to_client,established;\n reference:sha256,10eb1fbb2be3a09eefb3d97112e42bb06cf029e6cac2a9fb891b8b89a25c788d;\n classtype:trojan-activity;\n sid:2000002;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7d682b7c-d03f-5432-b859-f6d54aedce71", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.242593Z", "modified": "2026-06-14T11:55:42.242593Z", "name": "MALWARE Arsenal-237 lpe.exe download attempt", "indicator_types": [ "malicious-activity" ], "pattern": "alert http $HOME_NET any -> any any (\n msg:\"MALWARE Arsenal-237 lpe.exe download attempt\";\n flow:to_server,established;\n http.uri; content:\"/lpe.exe\"; nocase;\n http.host; content:\"109.230.231.37\";\n reference:url,https://github.com/[your-repo]/reports/killer-dll/;\n classtype:trojan-activity;\n sid:2000003;\n rev:1;\n)", "pattern_type": "suricata", "valid_from": "2026-01-27T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--8e7e93f7-4b77-5666-a76a-48d2a887d83a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.243085Z", "modified": "2026-06-14T11:55:42.243085Z", "name": "full_test_enc.exe", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--560920b7-b2dd-5da2-bb40-e6ef07c83fd2", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.243355Z", "modified": "2026-06-14T11:55:42.243355Z", "name": "dec_fixed.exe", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--726e1b7b-edd1-5445-8162-6b96b801e80d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.24379Z", "modified": "2026-06-14T11:55:42.24379Z", "name": "Browser credential extraction tool from Arsenal-237 campaign", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--98ecf30e-cc99-599b-a4c5-bd66ff291681", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.244006Z", "modified": "2026-06-14T11:55:42.244006Z", "name": "nethost.dll", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "report", "spec_version": "2.1", "id": "report--8f9bc8c6-2c90-58f4-be2e-d7b64faec4ab", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:55:42.246193Z", "modified": "2026-06-14T11:55:42.246193Z", "name": "Arsenal-237 New Files Analysis", "report_types": [ "threat-report" ], "published": "2026-01-27T00:00:00Z", "object_refs": [ "file--aed218eb-1892-54b0-b0d8-bf7fdd269864", "file--4808afb2-9fb4-551e-89e6-e1f8b9f11cf5", "file--2dd75871-9b15-5a7e-b515-2f94534ca27c", "file--ba6bed9f-017c-5023-91e8-de00432f8faa", "indicator--81efbf05-e147-5696-b7f9-f0e7783e5912", "indicator--277bc6b4-a26e-5444-a782-9739cbf4cd02", "indicator--f03776ea-5f6f-5c10-961e-bb6cc69d94a2", "indicator--ac997c05-624f-5ef2-b131-dd8219f3dc05", "indicator--ed97a4da-45a8-5f90-9786-69bf740a90d7", "indicator--8c9ab8bb-4a8b-5624-8846-261360d3f358", "indicator--ea5360b5-98be-51e0-877b-20fa56ec4fab", "indicator--095f0bce-6a36-529b-96fa-d52bb9612921", "indicator--4140f0b8-2710-5324-9b05-e3778921834c", "indicator--2e56c34c-cd35-528f-b395-f5e0791f63c5", "indicator--febe47e7-0513-5a75-b535-d569b0fa7238", "indicator--8adc0757-bd25-56ae-a75f-5487ab392c89", "indicator--8abf43de-4e5a-5553-9195-23be769e86a2", "indicator--d414aa30-7964-5ae5-8627-32af1ee3fed8", "indicator--4198c984-88ac-573c-b540-bf891a489c64", "indicator--7a1b8061-5010-5c93-adde-834d6ea127b6", "indicator--9947d139-f6ff-5bc5-a66e-5a0e0f380b8d", "indicator--f16009d3-f432-5146-818a-710446bf1883", "indicator--9751a6ee-f394-5916-a097-14b753586261", "indicator--c31679c4-feec-5fc0-aa84-72252d745939", "indicator--46455690-1d28-536b-89ec-338741750da4", "indicator--36b3e480-8252-5c0d-a6f0-0cccdd49c18e", "indicator--11266e5d-f304-5418-b11f-62bc3441a81c", "indicator--5a7d83f0-ef13-5b02-b9b1-480e6cdf25f4", "indicator--c43c0474-3200-5a48-9f3f-06d86bdaf07e", "indicator--1244c2c7-a430-51c4-b6ce-419cd77313cb", "indicator--5a90690f-dfb0-5012-bdcb-2a08a766b26e", "indicator--37ab8827-2c36-521e-9626-e25375ddd415", "indicator--da3a4367-1454-556e-9d0a-bff3705c4d78", "indicator--19404932-6988-5419-be68-7ddbeebd71af", "indicator--f3249512-0641-59ff-aab4-f51c96bac9c0", "indicator--9045ea7c-feab-5e6b-a262-81a153393374", "indicator--5ad9c40a-c556-5b26-9808-aeece6b14f55", "indicator--913f55f8-fe5c-5244-b2aa-793336e9064a", "indicator--5cb87530-832f-5eb1-b2bd-d33f18777dc2", "indicator--76af637c-272e-5434-8ba3-96e71bb84ca4", "indicator--e1aba0d2-b81a-57d0-8a8a-86898bba0521", "indicator--c547a7fa-69bb-5a77-a8b2-9b6c2a6fd83a", "indicator--c0ce1f13-4e27-5256-9758-a1c3d04e423a", "indicator--a140d97c-f133-5810-8855-908fbb481607", "indicator--b9b994bb-6dd5-542a-9af4-1a7566cd3363", "indicator--0640b6b5-85f0-59ce-9891-d1bc28d93ef4", "indicator--e3603b8f-d0cc-5924-81af-665455c6b441", "indicator--aa8c7e42-5aba-5754-a004-30aea9353352", "indicator--e409ab7e-d21e-554f-a6f6-44d84b960e4c", "indicator--311fb4d0-dc50-57f3-9637-37ecbe61a6e4", "indicator--80ccf17e-636c-50b5-b94d-72cd8b57efa1", "indicator--40ffd638-c529-5036-ae12-3dfdd11edc1e", "indicator--9cb67205-630f-5d62-ba9b-bf37e3523917", "indicator--05121241-3bad-5472-89fd-7cebaa9e4438", "indicator--37b9f891-898f-5b27-a371-cb29241df693", "indicator--57656b92-0824-5176-ac74-6eecd5cd4f78", "indicator--f88b4b06-81a1-51eb-9663-e05844d0ca9e", "indicator--9e918263-9096-5679-a553-e13823014aa7", "indicator--7b28c91c-b6ff-5e98-9056-7d9eec76fd63", "indicator--9046dc0d-8f2a-59f8-9881-52cc9681b714", "indicator--7b65b31a-24e6-5fef-a5c8-2cbaa02e275f", "indicator--2fb74347-3d7c-5c35-b297-b782df112c13", "indicator--56d313e0-0552-5efe-80ec-81ca22e079a0", "indicator--7bf0c003-c753-5296-aa15-6fdaf5e5adac", "indicator--797cac04-c8b0-5673-8d80-d0fe0ec4c59c", "indicator--522259a6-cc5f-523d-ac8b-14ed400d23f0", "indicator--6c8833ca-5ba6-5412-884c-c965de16a608", "indicator--00601262-681e-5f6e-8cee-717b2be52875", "indicator--df7c3436-9e3c-56b3-911e-fb71c39f2bd6", "indicator--7c6a66a7-c3bc-5856-b620-a793ac163aa3", "indicator--a468b071-fa26-5f52-bd35-b5e3654ece81", "indicator--4b05e0ce-26af-5bb8-948f-f78da48a1de3", "indicator--3169826b-d523-5ed1-8bb7-ef15a48a83f2", "indicator--e4455bbf-a13a-577f-b0f8-67200df89965", "indicator--6f65c37e-fe7f-5662-8705-1b354efe674c", "indicator--b705daf2-6d7c-5e89-ae2e-085ac95318b5", "indicator--d9f0e435-1429-55ef-8cec-a5b14f6f6d26", "indicator--7a83678e-7fa5-51e8-a1df-f3cfccad473a", "indicator--a788e55e-a520-5dc9-bd98-abbb36c3a04e", "indicator--76803065-b394-5d47-aeda-bce564b7c3d2", "indicator--33918666-1e5a-5a7b-a599-b4ac0af0d5f5", "indicator--d4dbd52c-d42d-5ae9-8fde-c141603549ee", "indicator--ab3d5526-e478-51bf-88b5-a99ca1f28114", "indicator--fb83e018-3ace-55e3-80c0-7daccbccaef7", "indicator--2ab438ee-d558-5bbd-a63b-48e44ed42753", "indicator--048d83e8-0d11-55ca-a897-31eef337c93a", "indicator--139d7adf-4949-5bb5-ac51-012bc7bce56a", "indicator--6db27f16-38fd-55b0-a0de-517a8b41cd98", "indicator--d2bc84c4-86a6-5a28-add3-24140aa86705", "indicator--4dbe3444-4e81-56f5-94ad-304fb164aa29", "indicator--3dd48bf1-3e4d-51de-9fef-6232e464f3fd", "indicator--dae5ac10-9336-5802-b484-9ae2e3ad87ba", "indicator--a0793479-4668-5c06-a4ea-1fabc89d38aa", "indicator--623d1206-14a7-5311-8a3a-4e0d696a173c", "indicator--aaac0032-d5cd-50de-97d4-382c4bd9aa2d", "indicator--bfb6c6c7-eb32-5bdd-be25-faeed0192bfa", "indicator--f271c625-feb2-5827-9016-2fe577eb0bd5", "indicator--5662179e-e962-5f13-9708-9f619feb4ef6", "indicator--9496950c-f698-5246-b7e0-913d335e8fc7", "indicator--1d7c9385-eceb-5a9b-880f-45908851e2fd", "indicator--cca7f767-09a3-5173-9443-e4c121938db4", "indicator--f0304b53-06c6-5071-8146-c8e60841a5ea", "indicator--23bc99f6-2f86-5d31-9b38-a79d69e16a7d", "indicator--394150d7-59f0-575c-ae35-cf991d8079bd", "indicator--32190f0e-c1f4-543d-94fc-e31b61ab975f", "indicator--908c1634-dd7d-5bcc-ad29-fa7b2ae31cad", "indicator--8bd510af-aa12-524d-b65b-6f8a6f8a993c", "indicator--7b78e9f9-6389-5170-b033-1259417979ba", "indicator--fa6d0958-d28b-5ce4-923a-db6c76e5563f", "indicator--e520a082-d736-51d0-9db7-efff42bfd37a", "indicator--f3fa4248-997b-5727-8e56-db5a5cfa4c0c", "indicator--19f65c87-d656-559d-af9f-f3098e913c57", "indicator--126212a5-f241-5350-ab7e-0a447d499535", "indicator--5b515ade-38da-58fc-92f0-b98ec182104c", "indicator--46756a9c-ab5a-5294-b63f-ba24f7af5513", "indicator--18093c24-ed0c-53ec-9887-ce1c5ae2d627", "indicator--4a1fee1b-123d-575f-8e67-87a0dec4d0ea", "indicator--c4d572bb-7c5c-535d-a830-2aaf9108295d", "indicator--b598537b-8c33-57ca-afc4-c58ca0cfc416", "indicator--14dd5eeb-ade0-583b-a939-ded6b0d61f3f", "indicator--bb3124ed-c81c-5b83-9345-5e4536b90260", "indicator--a8b364ef-60eb-50a0-b3bf-c51b96dacc69", "indicator--3f9f9b89-e553-5f68-89d5-3846fce08d6a", "indicator--8779ead2-6887-5854-994d-1c9b61eb9f0b", "indicator--32005564-26fe-5bc0-9f26-c61b90090718", "indicator--6945097e-dbca-56e9-bd50-7ec10183b0d1", "indicator--a53f2a3b-1256-57bd-b129-0c3c696c4310", "indicator--1e790e1c-325e-54cf-b708-a3b8e77af76b", "indicator--36f77a65-7949-56e2-b38d-39b93c9f3882", "indicator--89aa101d-05c3-5d0b-8889-729adc26dc89", "indicator--328213e6-a197-5a31-b348-37507eedf440", "indicator--9a37c126-1663-5e9b-a8a7-634653957456", "indicator--cc30d5fd-d372-5db1-b0b6-3d3ebce74a1e", "indicator--8ceae528-52ca-5932-9e3a-91cd7c03fa26", "indicator--bc94a404-15e0-5996-a7f9-0f8157f94516", "indicator--2c7a10e3-2ad4-54e3-afd0-d42d6fc62850", "indicator--53081acd-e6f6-53bc-85ad-ab1340b69af2", "indicator--cecfb8f3-50ba-5154-b435-dc89085bf2d9", "indicator--8fecc73a-760f-5f84-8164-1a447bdb131e", "indicator--f13a9584-2519-54cb-8d4d-c5cea0ac4740", "indicator--9e89b181-3f7f-5162-8841-ba80f0ee4793", "indicator--9c3cbd5f-c7a0-5343-926e-5fd8a86bbe66", "indicator--9636f6ad-7d0a-5745-8061-56ccd679c8ae", "indicator--8b063559-7a07-5838-bd15-0844901fed3a", "indicator--32a84290-5610-525d-9255-ef5cead2df9c", "indicator--f2c6825e-15e2-5b80-8572-6e767639d718", "indicator--b60ca61c-69f8-5934-9f89-6d46c560e78f", "indicator--3aa1fe6f-6d18-5f7f-b8c4-2ee6fc01b936", "indicator--445d8f98-12ee-5482-918a-518c0fddcfb9", "indicator--3a11751c-f7d1-573d-ab60-48fa1c46a037", "indicator--278dab87-a2f7-544c-8883-a74eb0018ca5", "indicator--107713b6-83c7-58d4-829f-ef55eba55288", "indicator--1162f4ec-8e16-5181-aa12-a60d14362f97", "indicator--753c1993-ccd9-5e61-9684-dec028f4f555", "indicator--d66bfc6f-9c78-537d-a649-974d5bf698e2", "indicator--8db18e65-c1bc-5cbf-aea1-cc2f06e6dbd0", "indicator--6f71a7a8-5a71-51e4-a529-62fc8c72296b", "indicator--65f4b455-dd40-525b-85cd-ce112305e2db", "indicator--6988997b-a2bc-51cf-b60e-d450ad51c5ed", "indicator--acaa36c7-b99c-5667-81f8-efb25c45191e", "indicator--5d4a414d-8df4-500e-a01d-ebd00e6e45da", "indicator--5810feb9-a7c5-5f68-911c-71933b06a14f", "indicator--17563395-7c8c-54dd-a9b5-81477e648878", "indicator--362e8892-6705-5ea5-af98-a9d21591364d", "indicator--7b26c8b1-f9d9-5693-b49b-225d0243f294", "indicator--bd4adcb6-ddae-5b92-96ad-3c1a990bb0fd", "indicator--d08bddc6-7fef-54d7-b117-8268b1b89d57", "indicator--079ae08b-524f-58d3-a692-c54187a4619c", "indicator--cd677539-8cc8-52f0-9776-d792f854a214", "indicator--00ac79d4-d8fa-5a3a-9b27-fb664aabd7e9", "indicator--e3d1fac0-4355-5c04-b152-96392d11e30c", "indicator--859c8f16-ff76-56bd-bb90-88e654f68c69", "indicator--cbd413eb-c68a-54da-9882-dc77ba78ae0b", "indicator--a089187d-8ad9-5556-955b-877d90a72c19", "indicator--08418b43-3be5-5c3c-8042-13a1bd6283d2", "indicator--bd0c3b7d-e5d8-5e46-8c87-32354e8ce8ca", "indicator--45face78-e29b-525b-9789-72c13a8dbf52", "indicator--92c9ef20-8b2d-5f10-8d60-b1c406742ec7", "indicator--d0b0dfae-da1a-55da-b984-775ff4cf09a3", "indicator--0642bb53-464c-5893-860c-a9902b5fd74d", "indicator--ba2317ba-7aa6-5262-bfed-f5c0a03a8848", "indicator--083d4d9a-1dea-5d32-8775-bb6a0dadad50", "indicator--2880b928-5f19-5951-9c90-6657216ed279", "indicator--ca1642b6-8930-514e-a603-bc22a7f55516", "indicator--c645b49e-1bf3-58ac-aada-bc9b295c27ec", "indicator--9123a6da-0b7a-592d-9fd5-f630603cc7da", "indicator--70a17ac8-3412-5346-bcde-0f85f2fa18ad", "indicator--b4bed8c0-6566-5f87-b43c-86b6f5e7b215", "indicator--6aba3624-0f2b-5afe-b5ec-5e2ac777c44c", "indicator--f12daab7-66c5-5732-b3e4-ef59285102d2", "indicator--da7bc56b-4da1-57d3-af39-efde5a336b65", "indicator--7d682b7c-d03f-5432-b859-f6d54aedce71", "tool--8e7e93f7-4b77-5666-a76a-48d2a887d83a", "tool--560920b7-b2dd-5da2-bb40-e6ef07c83fd2", "tool--726e1b7b-edd1-5445-8162-6b96b801e80d", "tool--98ecf30e-cc99-599b-a4c5-bd66ff291681" ], "labels": [ "Ransomware", "BYOVD", "Rootkit", "Rust" ], "external_references": [ { "source_name": "The Hunters Ledger", "url": "https://the-hunters-ledger.com/reports/arsenal-237-new-files/" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] } ] }