mthcht's Avatar

mthcht

@mthcht

Threat Hunting - DFIR - Detection Engineering πŸ™ https://github.com/mthcht 🐦 https://x.com/mthcht πŸ“° https://mthcht.medium.com

892
Followers 310
Following 54
Posts 31.08.2024
Joined
Posts Following

Latest posts by mthcht @mthcht

Preview
Lumma Stealer sinkholed domains Lumma Stealer sinkholed domains. GitHub Gist: instantly share code, notes, and snippets.

Lumma Stealer - 995 sinkholed domains by Microsoft
gist.github.com/mthcht/4b16e...

24.05.2025 15:22 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

it used to be great...

02.04.2025 20:24 πŸ‘ 5 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

@hexacorn.bsky.social :o someone just sent me your list hexacorn.com/examples/201... this is great thanks!

28.03.2025 00:45 πŸ‘ 3 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

I started another list dedicated to mutex names for detection
github.com/mthcht/aweso...

Help me enhance this list, I still have plenty more to add!

27.03.2025 19:00 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Thanks! Glad you like them!

09.03.2025 02:25 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

THIS WEBSITE HAS BEEN SEIZED

Discover domains tied to sinkhole NS servers at sinkholed.github.io

Filter by TLD or NS, export in JSON/CSV, weekly update!

Search for the known sinkhole Name Servers in DNS query logs and web access to the sinkholed domains to identify potentially compromised hosts!

08.03.2025 00:18 πŸ‘ 11 πŸ” 5 πŸ’¬ 1 πŸ“Œ 0

😯 I have 652022 sinkholed domains extracted here github.com/mthcht/aweso...

04.03.2025 15:10 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

🎭 #ThreatHunting February updates 🎭
πŸ™ release: github.com/mthcht/Threa...
🌐 Site: mthcht.github.io/ThreatHuntin...
🧬 yara: github.com/mthcht/Threa...
🐾 Specific artifact lists: github.com/mthcht/aweso...

02.03.2025 22:15 πŸ‘ 5 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0

Of course! PRs are welcome πŸ™

27.02.2025 20:51 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Powershell: after 5 "type .\5\test.txt" calls, the test.txt file is a symlink to win.ini CMD: A single "type .\6\test.txt" call results in every single file being printed, including the final win.ini symlink

Powershell: after 5 "type .\5\test.txt" calls, the test.txt file is a symlink to win.ini CMD: A single "type .\6\test.txt" call results in every single file being printed, including the final win.ini symlink

From over at the Bad Place:
There's an interesting NTFS symlink attack outlined here:
https://dfir.ru/2025/02/23/symlink-attacks-without-code-execution/

Basically, if an NTFS filesystem is corrupted in a way to provide duplicate file names, Windows will […]

[Original post on infosec.exchange]

25.02.2025 22:49 πŸ‘ 17 πŸ” 13 πŸ’¬ 1 πŸ“Œ 0
Preview
Confluence Exploit Leads to LockBit Ransomware Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…

It took just 3 hours:

RCE β†’ Metasploit C2 β†’ Anydesk for remote GUI-access β†’ LockBit ransomware

Interestingly, we observed the threat actor using PDQ Deploy, a patch management tool.

Read the report here:

24.02.2025 15:25 πŸ‘ 9 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0

A bookmark of my lists is now automatically generated after each update in my repo github.com/mthcht/aweso...
I'm also looking to automatically add my starred repos lists github.com/mthcht?tab=s... in this bookmark but there doesn’t seem to be a API endpoint for the stars lists πŸ€” ?

20.02.2025 04:47 πŸ‘ 7 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

It's growing! Now at 38 services and 82 projects πŸ™ˆ What's your favorite LoLC2?

19.02.2025 18:44 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image Post image

Pushed a #KQL for: Successful device code sign-in from an unmanaged device.

Query is available for AADSignInEventsBeta and SigninLogs. Less known is the AADSignInEventsBeta filter for device code:
| where EndpointCall == "Cmsi:Cmsi"

🏹Query: github.com/Bert-JanP/Hu...

17.02.2025 18:53 πŸ‘ 5 πŸ” 3 πŸ’¬ 2 πŸ“Œ 0

In case you don't want to do this yourself, I just discovered that you can request access to a complete list of all existing domains across 1131 TLDs on czds.icann.org for free, including NS records! The lists are updated every month, approval is required for each TLD 🌍

17.02.2025 21:55 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 1
Preview
Hey SDDL SDDL: Breaking Down Windows Security One ACE at a Time | Splunk Explore SDDL in Windows security with our comprehensive guide to help enhance your defensive strategy against privilege escalation attacks.

Hey SDDL SDDL: Breaking Down Windows Security One ACE at a Time www.splunk.com/en_us/blog/s....

Thrilled to share my first blog at @splunk! @mhaggis.bsky.social and I take a deep dive into the weird & exciting world of SDDL and ACEs - what they are, how they work, and how attackers can abuse them.

15.02.2025 22:36 πŸ‘ 12 πŸ” 5 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

Path masquerading zerosalarium.com/2025/01/path...

Interesting technique, if you're hunting for this, you can directly search the unicode characters in Splunk πŸ₯·

13.02.2025 01:35 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

Most SOCs handle hundreds to thousands of detection rules in their SIEM. Proper categorization is essential when creating a new detection, as it helps define criticality, urgency, implementation effort, and verbosity level. Keeping things structured will reducing alert fatigue!

12.02.2025 02:07 πŸ‘ 5 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0

I'll keep this updated, let me know if you have any projects to add! some C2 candidates: github.com/lolc2/lolc2....

11.02.2025 22:18 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

Cert Central .org is live!
We track and report abused code-signing certs.

By submitting to the website, you contribute to the DB of >800 certsβ€”a DB you can access and view.

Want to get more involved? Check out the Training and Research pages to learn more. 1/2

10.02.2025 13:53 πŸ‘ 14 πŸ” 7 πŸ’¬ 1 πŸ“Œ 0
Post image Post image

Hexadecimal IP Detection:

Identifiy hexadecimal IP addresses format in command lines with a "simple" regex (some default behaviors to exclude)

09.02.2025 19:06 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image Post image Post image

Special Caracters anomaly Detection:

This query Extracts common special caracters from the process command line, counts occurrences, calculates ratio, and return commands with more than 20% specials caracters in it, could catch the quote insertions and url transformers techniques

09.02.2025 19:06 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image Post image

#ThreatHunting ideas for detecting command-line obfuscation techniques from github.com/wietze/Invok... with Splunk!
(examples with EID 4688)

Mixed Case Randomization Detection:

This query counts uppercase/lowercase letters and return command lines with a near-equal ratio

09.02.2025 19:06 πŸ‘ 5 πŸ” 1 πŸ’¬ 1 πŸ“Œ 1
Preview
GitHub - blechschmidt/massdns: A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration) A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration) - blechschmidt/massdns

github.com/blechschmidt...

09.02.2025 19:02 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Video thumbnail

I have a list of NS used for sinkhole domains and seized servers: raw.githubusercontent.com/mthcht/awesome…
I'm searching for the domains, on my server I can resolve a record type for ~400 million domains per day with github.com/blechschmidt/mοΏ½οΏ½οΏ½ πŸ˜ƒ Massive improvement compared to other solutions!

09.02.2025 19:01 πŸ‘ 1 πŸ” 1 πŸ’¬ 1 πŸ“Œ 1
Preview
HISAC - High Impact Security Analysis and Communication How to be a well rounded SOC/MDR/Cyber/Information Security Analyst.

I frequently get asked is "what skills do I need need to excel as an analyst", so I figure this is a good opportunity to shed some light on what analysis is, and why certifications alone won't make you a good analyst.

www.jaiminton.com/high-impact-...

02.02.2025 09:28 πŸ‘ 8 πŸ” 4 πŸ’¬ 0 πŸ“Œ 1

I have a bunch of regex applied to every projects, I’ve put most of them here github.com/mthcht/aweso..., The results used for triage look like this github.com/mthcht/Strin...

31.01.2025 23:35 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

nice! I added the binary representation!

31.01.2025 14:45 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
ThreatHunting-Keywords-yara-rules/yara_rules/guids_only.yara at main Β· mthcht/ThreatHunting-Keywords-yara-rules yara detection rules for hunting with the threathunting-keywords project - mthcht/ThreatHunting-Keywords-yara-rules

πŸ‘ added here github.com/mthcht/Threa...

31.01.2025 10:55 πŸ‘ 5 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0

Say goodnight to the bad GUIDs !
badguids.github.io

31.01.2025 08:59 πŸ‘ 8 πŸ” 6 πŸ’¬ 1 πŸ“Œ 0