Add files via upload

nterl0k · web-flow · commit 80fee4b9b9be · 2025-02-07T14:26:58.000-05:00
diff --git a/lookups/windows_suspicious_services.csv b/lookups/windows_suspicious_services.csv
@@ -0,0 +1,93 @@
+service_name,service_path,tool_name,tool_category,tool_type,severity,comment,reference
+*mimidrv*,,mimidrv,Credential Access,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
+*mimikatz*,,mimidrv,Credential Access,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
+*sharpsploit*,,sharpsploit,Lateral Movement,offensive_tool,critical,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SharpSploit.csv,https://github.com/cobbr/SharpSploit/blob/c16931ddb8cd2335e0bd26feb9aaa35f449d48db/SharpSploit/LateralMovement/SCM.cs#L209
+3proxy,,3proxy,Defense Evasion,offensive_tool,medium,https://github.com/3proxy/3proxy/blob/a80bef9ecf0c0ed98ccb1a1a764f6b79a620b78f/src/stringtable.c#L14,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/_Others/3proxy.csv
+AADInternals,,AADInternals,Credential Access,greyware_tools,high,A little service to steal the AD FS DKM secret,https://github.com/Gerenios/AADInternals/blob/0fa2edf5676439cd3fe7c92ed8006b63f0be9632/ADFS.ps1#L484C132-L484C144
+aswSP_ArPot1,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf
+aswSP_ArPot2,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf
+aswSP_ArPot3,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf
+aswSP_ArPots,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf
+BadWindowsService,,BadWindowsService,Privilege Escalation,offensive_tool,critical,https://github.com/eladshamir/BadWindowsService/blob/a7057720763fceaa7cbac9088d4c69b43d17a28f/BadWindowsService/ProjectInstaller.Designer.cs#L44,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/A-C/BadWindowsService.csv
+BlockNewProc,,BlockNewProc,Defense Evasion,offensive_tool,critical,PoCs to block new process with Process Notify Callback method - BlockNewProc,https://github.com/daem0nc0re/VectorKernel/blob/main/BlockNewProc/README.md
+BTOBTO,,smbExec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv
+c3pool_miner,,xmrig,Cryptominer,greyware_tool,critical,https://github.com/C3Pool/xmrig_setup/blob/82c4e9bf7ee3c0c9cd925ede6e46e9ed4cc5f195/setup_c3pool_miner.bat#L380,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xmrig.csv
+chopper,,TChopper,Lateral Movement,offensive_tool,critical,https://github.com/lawrenceamer/TChopper/blob/f7383a36af813019ebefb70803dc82a842ed9273/chopper.lpr#L237C25-L237C34,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Tchopper.csv
+CorpVPN,,UacMe,Persistence,offensive_tool,critical,https://github.com/r00t-3xp10it/redpill/blob/611d39b8bff717ac84d58550dc04e1b312acb19e/bin/UacMe.ps1#L291,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/redpill.csv
+CreateToken,,CreateToken,Privilege Escalation,offensive_tool,critical,PoCs to get full privileged SYSTEM token with `ZwCreateToken()` API - CreateToken,https://github.com/daem0nc0re/VectorKernel/blob/main/CreateToken/README.md
+CreatSvcRpc_*,,CreateSvcRpc,Privilege Escalation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SspiUacBypass.csv
+csexecsvc,,csexec,Lateral Movement,offensive_tool,critical,https://github.com/malcomvetter/CSExec/blob/d6bd3f97e66dc65ccf64d9102a33379fdb769614/csexecsvc/Program.cs#L13,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/csexec.csv
+CyberGhost 6 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost 7 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost 8 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost Tunnel Client: CyberGhost-WireGuard-1,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost6Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 6\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost7Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 7\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost8Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 8\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhostTunnel$CyberGhost-WireGuard-1,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: \Program Files\CyberGhost 8\Applications\VPN\WGHelper.exe /service C:\Windows\system32\config\systemprofile\AppData\Local\CyberGhost\WGSession-1\CyberGhost-WireGuard-1.conf,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+dcrypt,,DiskCryptor,Impact,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DiskCryptor.csv
+dnsproxy,,dns-proxy,Defense Evasion,offensive_tool,critical,dnsproxy service,https://github.com/AdguardTeam/dnsproxy/pull/194/files
+final_seg,,TChopper,Lateral Movement,offensive_tool,critical,https://github.com/lawrenceamer/TChopper/blob/f7383a36af813019ebefb70803dc82a842ed9273/chopper.lpr#L237C25-L237C34,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Tchopper.csv
+GetFullPrivs,,GetFullPrivs,Privilege Escalation,offensive_tool,critical,PoCs to get full privileges with DKOM method - GetFullPrivs,https://github.com/daem0nc0re/VectorKernel/blob/main/GetFullPrivs/README.md
+GetProcHandle,,GetProcHandle,Privilege Escalation,offensive_tool,critical,PoCs to get full access process handle from kernelmode - GetProcHandle,https://github.com/daem0nc0re/VectorKernel/blob/main/GetProcHandle/README.md
+GoodSync Server,,goodync,Data Exfiltration,greyware_tool,high,,https://www.goodsync.com/
+InjectLibrary,,InjectLibrary,Defense Evasion,offensive_tool,critical,PoCs to perform DLL injection with Kernel APC Injection method - InjectLibrary,https://github.com/daem0nc0re/VectorKernel/blob/main/InjectLibrary/README.md
+KrbSCM,,KrbRelayUp,Privilege Escalation,offensive_tool,critical,https://github.com/Dec0ne/KrbRelayUp/blob/e919f78afbacdb2c2e86f17267674069a377011c/README.md?plain=1#L90,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/KrbRelayUp.csv
+KrbSCM,,S4UTomato,Privilege Escalation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/S4UTomato.csv
+MagnetRAMCapture Driver,,MAGNET RAM Capture,Credential Access,greyware_tool,critical,,https://startupstash.com/tools/magnet-ram-capture/
+maint,,impacketremoteshell,Lateral Movement,offensive_tool,high,default service name installed https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/impacketremoteshell/RemoteMaint/main.cpp#L108,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/impacketremoteshell.csv
+MakeMeAdmin,,MakeMeAdmin,Privilege Escalation,offensive_tool,high,Enables users to elevate themselves to administrator-level rights https://github.com/pseymour/MakeMeAdmin/blob/18ea04be3dbc6e7cab8096558a3b02ef8f8682f6/Service/ProjectInstaller.Designer.cs#L63,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/MakeMeAdmin.csv
+Meterpreter,,metasploit,C2,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv
+metsvc,metsvc-server.exe,Metasploit server,Exploitation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv
+ModHide,,ModHide,Defense Evasion,offensive_tool,critical,PoCs to hide loaded kernel drivers with DKOM method - ModHide,https://github.com/daem0nc0re/VectorKernel/blob/main/ModHide/README.md
+Neo_VPN,*\System32\drivers\Neo6_x64_VPN.sys,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv
+NoRebootSvc,NoReboot.exe,PSBits NoReboot.c,,offensive_tool,high,,https://github.com/gtworek/PSBits/blob/master/NoRebootSvc/readme.md
+Npcap Packet Driver (NPCAP),,NpCap Windows Packet Capture Library & Driver,Collection,greyware_tool,low,,https://github.com/nmap/npcap
+OpenSSH SSH Server,,OpenSSH Server,C2,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv
+PAExec,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv
+PAExec-*,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv
+PCHunter*,,PCHunter,Defense Evasion,greyware_tool,medium,PCHunter service name installation - https://www.majorgeeks.com/files/details/pc_hunter.html,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PCHunter.csv
+physmem2profit,,physmem2profit,Credential Access,offensive_tool,critical,https://github.com/WithSecureLabs/physmem2profit/blob/2f64133bd9931303b8ae47630835e96347e0f294/server/Plugins/WinPmem.cs#L11,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/physmem2profit.csv
+PowerUpService,,PowerSploit Privesc.tests.ps1,Privilege Escalation,offensive_tool,critical,,https://github.com/PowerShellMafia/PowerSploit/blob/master/Tests/Privesc.tests.ps1
+PPLBlade,,pplblade,Defense Evasion,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PPLBlade.csv
+ProcExp,,DriverDump,Persistence,offensive_tool,critical,This program configures and loads a Windows service to manage a driver https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/driverdump/DriverDump/DriverDump.c#L45,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DriverDump.csv
+ProcHide,,ProcHide,Defense Evasion,offensive_tool,critical,PoCs to hide process with DKOM method - ProcHide,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcHide/README.md
+ProcProtect,,ProcProtect,Defense Evasion,offensive_tool,critical,PoCs to manipulate Protected Process - ProcProtect,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcProtect/README.md
+PSEXESVC,*PSEXESVC.exe*,psexec,Lateral Movement,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv
+pwdump*,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/pwdump.csv
+PWDumpX Service,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PWDumpX.csv
+QueryModule,,QueryModule,Collection,offensive_tool,medium,PoCs to perform retrieving kernel driver loaded address information - QueryModule,https://github.com/daem0nc0re/VectorKernel/blob/main/QueryModule/README.md
+RandomService,,Invoke-SMBRemoting,Lateral Movement,offensive_tool,critical,Invoke-SMBRemoting service example,https://github.com/Leo4j/Amnesiac/blob/216ba3a280bf49ea3f5b1afab80f843bbde3548d/Tools/Invoke-SMBRemoting.ps1#L33C99-L33C113
+RemCom Service,,RemCom.exe,Lateral movement,offensive_tool,critical,,https://github.com/kavika13/RemCom
+REPLACE_ME_DummyServiceName,,netexec,Credential Access,offensive_tool,critical,https://github.com/Pennyw0rth/NetExec/blob/b855dac2b696ea1b744f10a0573c6b394670a5cb/nxc/data/keepass_trigger_module/RestartKeePass.ps1#L4,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NetExec.csv
+Ring0NamedPipeFilter,,NamedPipeMaster,Privilege Escalation,offensive_tool,critical,https://github.com/gavz/NamedPipeMaster,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NamedPipeMaster.csv
+Service_*,,PsMapExec,Lateral Movement,offensive_tool,critical,PsMapExec creating services regex detection: Service_[A-Za-z]{16},https://github.com/The-Viper-One/PsMapExec/blob/0ae7a6967c07bf3ebf555e665d4c43ce86c6addf/PsMapExec.ps1#L1488
+sesshijack,,atomic-red-team test T1563.002,Persistence,offensive_tool,high,,https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md?plain=1
+SEVPNCLIENTDEV,*\Program Files\SoftEther VPN Client Developer Edition\vpnclient.exe*,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv
+Shadowsocks Local Service,,Shadowsocks,C2,greyware_tool,high,https://github.com/shadowsocks/shadowsocks-rust/blob/846752866e0b52c3d93efa2036204eadc36cc696/README.md?plain=1#L458,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/shadowsocks.csv
+shadowsocks-local-service,,Shadowsocks,C2,greyware_tool,high,https://github.com/shadowsocks/shadowsocks-rust/blob/846752866e0b52c3d93efa2036204eadc36cc696/README.md?plain=1#L458,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/shadowsocks.csv
+SilkService,,SilkETW,Discovery,greyware_tool,low,C# wrappers for ETW - meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection,https://github.com/mandiant/SilkETW
+sliver*,,sliver,C2,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/sliver.csv
+SoftEther VPN*,,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv
+sshd,,OpenSSH Server,C2,greyware_tool,high,https://github.com/PowerShell/openssh-portable/blob/661803c9ec4d7dee6574eb6ff0c85b2b7006edb1/contrib/win32/openssh/install-sshd.ps1#L137C1-L138C1,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv
+StealToken,,StealToken,Credential Access,offensive_tool,critical,PoCs to perform token stealing from kernelmode - StealToken,https://github.com/daem0nc0re/VectorKernel/blob/main/CreateToken/README.md
+svcEasySystem,,p0wnedShell,Privilege Escalation,offensive_tool,critical,https://github.com/Cn33liz/p0wnedShell/blob/35853bcc2a184f0e0fa7b18b0e54d4ad7a985ed6/p0wnedShell/Modules/PrivEsc/p0wnedEasySystem.cs#L582C33-L582C46,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/p0wnedShell.csv
+svcHighPriv,,EasySystem,Privilege Escalation,offensive_tool,critical,https://github.com/S3cur3Th1sSh1t/Creds/blob/f71e780c51fdc2fdabe4e51831fa6289b1bede96/Csharp/NamedPipeSystem.cs#L28,https://github.com/mthcht/awesome-lists
+TestService,,SharpyStay default,Persistence,offensive_tool,critical,,https://github.com/antonioCoco/SharPyShell/blob/29718225791f11fd3d66dd03df4c05c414256630/modules/ps_modules/Get-System.ps1#L89
+TestSVC,,SharpyShell - Get-System.ps1 default service name,Privilege Escalation,offensive_tool,critical,,https://github.com/antonioCoco/SharPyShell/blob/29718225791f11fd3d66dd03df4c05c414256630/modules/ps_modules/Get-System.ps1#L89
+UACBypassedService,,S4UTomato & KRBUACBypass,Privilege Escalation,offensive_tool,critical,https://github.com/wh0amitz/S4UTomato/blob/c709a2997efb1b30375c5134ff57eb49ec177918/S4UTomato/lib/KrbSCM.cs#L10 - https://github.com/wh0amitz/KRBUACBypass/blob/e2ad3ff8b5810dda0b2d75442f1c67aef7e3c4c1/KRBUACBypass/lib/KrbSCM.cs#L10,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/S4UTomato.csv
+VPN Client Device Driver - VPN,,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv
+WCESERVICE,,wce,Lateral Movement,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/wce.csv
+windows_monitoring,,social-engineer-toolkit persistence payload,Persistence,offensive_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/social-engineer-toolkit.csv
+winexesvc,,winexe,Lateral Movement,greyware_tool,low,https://www.kali.org/tools/winexe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/winexe.csv
+WinPwnage,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/persist/persistMethod12.py#L24,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv
+WinPwnageVPN,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/uac/uacMethod13.py#L54,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv
+WinRing0_*,,xmrig,Cryptomining,greyware_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xmrig.csv
+wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed with the tool no_defender https://github.com/es3n1n/no-defender - subject to false positives if avast is installed,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/no_defender.csv	
+,*\tmp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists
+,*\Temp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists
+,*\Users\Public\*,suspicious path,Defense Evasions,greyware_tool,critical,suspicious paths,https://github.com/mthcht/awesome-lists
+,*%COMSPEC%*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
+,*cmd.exe*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
+,*echo*\pipe\*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
+,\\127.0.0.1\ADMIN$\*,cobaltstrike beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
diff --git a/lookups/windows_suspicious_services.yml b/lookups/windows_suspicious_services.yml
@@ -0,0 +1,14 @@
+name: windows_suspicious_services
+date: 2025-02-07
+version: 1
+id: 8c214005-2b4e-49c8-bba6-747005f11296
+author: Steven Dick
+lookup_type: csv
+description: A list of suspicious Windows Service names and locations
+default_match: false
+match_type: 
+- WILDCARD(service_name)
+- WILDCARD(service_path)
+min_matches: 1
+max_matches: 1
+case_sensitive_match: false
